Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

On Fri, May 08, 2009 at 12:43:19PM +0900, Ryota Ozaki wrote: Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting

Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in the bounding set of the init processes in every containers. Note that the patch

Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, Current lxc driver unexpectedly allows users inside containers to reboot host physical machine. This patch prevents this by dropping CAP_SYS_BOOT capability in

Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, ... +    for (i = 0 ; i ARRAY_CARDINALITY(caps) ; i++) { +        if (prctl(PR_CAPBSET_DROP, caps[i].id, 0,

Re: [libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers

Hi Serge, On Fri, May 8, 2009 at 11:04 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi Serge, On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn se...@us.ibm.com wrote: Quoting Ryota Ozaki (ozaki.ry...@gmail.com): Hi, ... +    for (i = 0 ; i