libvirt users - Dec 2011 - lxc capabilities

I'm experimenting with the libvirt lxc driver, and wondering if there is
some way to control the capabilities assigned to the container processes.

With lxc-tools, I can specify a configuration option, lxc.cap.drop,
which causes the container processes to drop the specified privileges.

My libvirt containers seem to run with
cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
which is rather more permissive than I'd like. In particular,
cap_sys_boot allows a container to reboot the host machine.

I am running libvirt-0.9.2 from squeeze-backports on debian squeeze.


Cheers,



-C-

On Wed, Dec 07, 2011 at 12:55:44PM -0800, Chris Haumesser
wrote:
> I'm experimenting with the libvirt lxc driver, and wondering if there
is
> some way to control the capabilities assigned to the container processes.
> 
> With lxc-tools, I can specify a configuration option, lxc.cap.drop,
> which causes the container processes to drop the specified privileges.
> 
> My libvirt containers seem to run with
> cap_sys_module,cap_sys_boot,cap_sys_time,cap_audit_control,cap_mac_admin
> which is rather more permissive than I'd like. In particular,
> cap_sys_boot allows a container to reboot the host machine.
I think you have that the wrong way around. The containers run
*without*  cap_sys_{module,boot,time,audit_control,mac_admin}.
Any of the remaining capabilities we allow should be safe to use
within the context of a container (well ok, we need the UID/GID
namespace stuff to be finished really for this to be safe). But
we certainly block clearly dangerous things like reboot & module
loading

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|