NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

lxc: allow to keep or drop capabilities

Browse Source 
Added <capabilities> in the <features> section of LXC domains
configuration. This section can contain elements named after the
capabilities like:

  <mknod state="on"/>, keep CAP_MKNOD capability
  <sys_chroot state="off"/> drop CAP_SYS_CHROOT capability

Users can restrict or give more capabilities than the default using
this mechanism.
This commit is contained in:
Cédric Bosdonnat
2014-07-18 10:02:29 +02:00
committed by Gao feng
parent a86b6215a7
commit 47e5b5ae32
10 changed files with 755 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
docs/drvlxc.html.in
View File

@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root:
&lt;/domain&gt;
</pre>
<h2><a name="capabilities">Altering the available capabilities</a></h2>
<p>
By default the libvirt LXC driver drops some capabilities among which CAP_MKNOD.
However <span class="since">since 1.2.6</span> libvirt can be told to keep or
drop some capabilities using a domain configuration like the following:
</p>
<pre>
...
&lt;features&gt;
&lt;capabilities policy='default'&gt;
&lt;mknod state='on'/&gt;
&lt;sys_chroot state='off'/&gt;
&lt;/capabilities&gt;
&lt;/features&gt;
...
</pre>
<p>
The capabilities children elements are named after the capabilities as defined in
<code>man 7 capabilities</code>. An <code>off</code> state tells libvirt to drop the
capability, while an <code>on</code> state will force to keep the capability even though
this one is dropped by default.
</p>
<p>
The <code>policy</code> attribute can be one of <code>default</code>, <code>allow</code>
or <code>deny</code>. It defines the default rules for capabilities: either keep the
default behavior that is dropping a few selected capabilities, or keep all capabilities
or drop all capabilities. The interest of <code>allow</code> and <code>deny</code> is that
they guarantee that all capabilities will be kept (or removed) even if new ones are added
later.
</p>
<p>
The following example, drops all capabilities but CAP_MKNOD:
</p>
<pre>
...
&lt;features&gt;
&lt;capabilities policy='deny'&gt;
&lt;mknod state='on'/&gt;
&lt;/capabilities&gt;
&lt;/features&gt;
...
</pre>
<p>
Note that allowing capabilities that are normally dropped by default can seriously
affect the security of the container and the host.
</p>
<h2><a name="usage">Container usage / management</a></h2>

207
docs/schemas/domaincommon.rng
View File

@@ -3815,6 +3815,9 @@
<empty/>
</element>
</optional>
<optional>
<ref name="capabilities"/>
</optional>
</interleave>
</element>
</optional>
@@ -4387,6 +4390,200 @@
</element>
</define>
<!-- Optional capabilities features -->
<define name="capabilities">
<element name="capabilities">
<ref name="capabilitiespolicy"/>
<interleave>
<optional>
<element name="audit_control">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="audit_write">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="block_suspend">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="chown">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="dac_override">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="dac_read_search">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="fowner">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="fsetid">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="ipc_lock">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="ipc_owner">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="kill">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="lease">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="linux_immutable">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="mac_admin">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="mac_override">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="mknod">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="net_admin">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="net_bind_service">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="net_broadcast">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="net_raw">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="setgid">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="setfcap">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="setpcap">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="setuid">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_admin">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_boot">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_chroot">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_module">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_nice">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_pacct">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_ptrace">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_rawio">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_resource">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_time">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="sys_tty_config">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="syslog">
<ref name="featurestate"/>
</element>
</optional>
<optional>
<element name="wake_alarm">
<ref name="featurestate"/>
</element>
</optional>
</interleave>
</element>
</define>
<define name="featurestate">
<attribute name="state">
<choice>
@@ -4396,6 +4593,16 @@
</attribute>
</define>
<define name="capabilitiespolicy">
<attribute name="policy">
<choice>
<value>default</value>
<value>allow</value>
<value>deny</value>
</choice>
</attribute>
</define>
<!--
Optional hypervisor extensions in their own namespace:
QEmu