Quoting jirutka on Github (lxc-...@linuxcontainers.org): > The following pull request was submitted through Github. > It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1241 > > This e-mail was sent by the LXC bot, direct replies will not reach the author > unless they happen to be subscribed to this list. > > === Description (from pull-request) === > @brauner I’m not entirely sure about this, could you please answer me two > questions? > > 1. Am I right that `setfcap` is not a security risk, i.e. it cannot be abused > to escape from container to the host system?
No. > 2. Is it true that `setcap` cannot work in unprivileged containers (i.e. > containers that uses user namespace) anyway, only in privileged ones? > From 64365bc2e95b8a62223d65c160215a465b1b8c03 Mon Sep 17 00:00:00 2001 > From: Jakub Jirutka <ja...@jirutka.cz> > Date: Tue, 18 Oct 2016 18:09:42 +0200 > Subject: [PATCH] lxc-alpine: do not drop setfcap > > Signed-off-by: Jakub Jirutka <ja...@jirutka.cz> > --- > config/templates/alpine.common.conf.in | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/config/templates/alpine.common.conf.in > b/config/templates/alpine.common.conf.in > index 1be61f7..b344426 100644 > --- a/config/templates/alpine.common.conf.in > +++ b/config/templates/alpine.common.conf.in > @@ -8,7 +8,6 @@ lxc.devttydir = > lxc.cap.drop = audit_write > lxc.cap.drop = ipc_owner > lxc.cap.drop = mknod > -lxc.cap.drop = setfcap > lxc.cap.drop = setpcap > lxc.cap.drop = sys_nice > lxc.cap.drop = sys_pacct > _______________________________________________ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel