The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1241
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
@brauner I’m not entirely sure about this, could you please answer me two questions?
1. Am I right that `setfcap` is not a security risk, i.e. it cannot be abused to escape from container to the host system?
2. Is it true that `setcap` cannot work in unprivileged containers (i.e. containers that uses user namespace) anyway, only in privileged ones?
From 64365bc2e95b8a62223d65c160215a465b1b8c03 Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <ja...@jirutka.cz>
Date: Tue, 18 Oct 2016 18:09:42 +0200
Subject: [PATCH] lxc-alpine: do not drop setfcap
Signed-off-by: Jakub Jirutka <ja...@jirutka.cz>
config/templates/alpine.common.conf.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/config/templates/alpine.common.conf.in
index 1be61f7..b344426 100644
@@ -8,7 +8,6 @@ lxc.devttydir =
lxc.cap.drop = audit_write
lxc.cap.drop = ipc_owner
lxc.cap.drop = mknod
-lxc.cap.drop = setfcap
lxc.cap.drop = setpcap
lxc.cap.drop = sys_nice
lxc.cap.drop = sys_pacct
lxc-devel mailing list