Hi, Using kernel 3.1 and the LXC patches[*] to make lxc-attach work, if I drop capabilities such as CAP_NET_ADMIN from a container, if I access the container with lxc-attach, I have the full capabilities available in my host shell, not the limited capabilities of the container.
Is this on purpose? In my opinion the sensible behaviour would be to acquire the same capabilities as configured for the container. On the other hand, it could be useful to enter the container and keep the capabilities if, for example, one wants to reconfigure parts of the network (which cannot be done directly frome the outside since the network namespace separates these devices). The way I see it, the ideal solution would probably be that lxc-attach drops its capabilities by default (according to the config of the container specified with the -n option) and that there is an option (e.g. --keep-capabilities) that overrides this, in case the admin wants to execute something in the container with elevated privileges. If you agree with me on the behaviour, I'd be happy to write a patch that implements this. Christian [*] http://lxc.sourceforge.net/patches/linux/3.0.0/3.0.0-lxc1/ Btw. they do not cleanly apply against 3.1 anymore, but can be trivially modified. And are these patches going to be merged with the official kernel tree at some point? ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
