drop CAP_SYS_BOOT capability from LXC containers

* src/lxc_container.c: drop LXC CAP_SYS_BOOT capability to avoid
  reboot from inside containers, patch by Ryota Ozaki
Daniel

ChangeLog

@@ -1,3 +1,8 @@
+Mon May 11 16:03:37 CEST 2009 Daniel Veillard <veillard@redhat.com>
+
+	* src/lxc_container.c: drop LXC CAP_SYS_BOOT capability to avoid
+	  reboot from inside containers, patch by Ryota Ozaki
+
 Mon May 11 09:51:00 EDT 2009 Cole Robinson <crobinso@redhat.com>
 
 	* src/qemu_driver.c : Check that QEMU is still alive while

src/lxc_container.c

@@ -41,6 +41,9 @@
 /* For MS_MOVE */
 #include <linux/fs.h>
 
+#include <sys/prctl.h>
+#include <sys/capability.h>
+
 #include "virterror_internal.h"
 #include "logging.h"
 #include "lxc_container.h"
@@ -639,6 +642,29 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
         return lxcContainerSetupExtraMounts(vmDef);
 }
 
+static int lxcContainerDropCapabilities( virDomainDefPtr vmDef )
+{
+    int i;
+    const struct {
+        int id;
+        const char *name;
+    } caps[] = {
+#define ID_STRING(name) name, #name
+        { ID_STRING(CAP_SYS_BOOT) },
+    };
+
+    for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
+        if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
+            lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                     _("failed to drop %s"), caps[i].name);
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+
 /**
  * lxcChild:
  * @argv: Pointer to container arguments
@@ -705,6 +731,10 @@ static int lxcContainerChild( void *data )
     if (lxcContainerEnableInterfaces(argv->nveths, argv->veths) < 0)
         return -1;
 
+    /* drop a set of root capabilities */
+    if (lxcContainerDropCapabilities(vmDef) < 0)
+        return -1;
+
     /* this function will only return if an error occured */
     return lxcContainerExecInit(vmDef);
 }