The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1241
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === @brauner I’m not entirely sure about this, could you please answer me two questions? 1. Am I right that `setfcap` is not a security risk, i.e. it cannot be abused to escape from container to the host system? 2. Is it true that `setcap` cannot work in unprivileged containers (i.e. containers that uses user namespace) anyway, only in privileged ones?
From 64365bc2e95b8a62223d65c160215a465b1b8c03 Mon Sep 17 00:00:00 2001 From: Jakub Jirutka <ja...@jirutka.cz> Date: Tue, 18 Oct 2016 18:09:42 +0200 Subject: [PATCH] lxc-alpine: do not drop setfcap Signed-off-by: Jakub Jirutka <ja...@jirutka.cz> --- config/templates/alpine.common.conf.in | 1 - 1 file changed, 1 deletion(-) diff --git a/config/templates/alpine.common.conf.in b/config/templates/alpine.common.conf.in index 1be61f7..b344426 100644 --- a/config/templates/alpine.common.conf.in +++ b/config/templates/alpine.common.conf.in @@ -8,7 +8,6 @@ lxc.devttydir = lxc.cap.drop = audit_write lxc.cap.drop = ipc_owner lxc.cap.drop = mknod -lxc.cap.drop = setfcap lxc.cap.drop = setpcap lxc.cap.drop = sys_nice lxc.cap.drop = sys_pacct
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel