On 02/01/2012 05:12 PM, Christian Seiler wrote: > Hi, > > I've attached patches that improve capability handling in LXC. I stumbled > upon the issue that I wanted to deactivate "dmesg" from inside containers > with a fairly recent kernel. Instead of dropping CAP_SYS_ADMIN, as it was > the case with previous kernel versions, one is now supposed to drop > CAP_SYSLOG. Unfortunately, LXC doesn't know about it yet. > > The attached patches do the following: > - add CAP_SYSLOG and CAP_WAKE_ALARM to the list of capabilities, since > they are new > - add a function that determines the maximum number of capabilities the > current running kernel (not the one LXC is compiled against) supports > - support the specification of numerical IDs for capabilities when using > lxc.cap.drop. Then, even if LXC doesn't understand the capability or > was compiled against an older kernel, it is still possible to drop that > specific capability. >
Looks good to me. ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
