diff options
| author |   Daniel Lezcano <dlezcano@fr.ibm.com> | 2010-01-21 14:48:42 +0100 |
|---|---|---|
| committer | Daniel Lezcano <dlezcano@fr.ibm.com> | 2010-01-21 15:06:42 +0100 |
| commit | 81810dd120291b78daf7c6833e6fcbca0289aad5 (patch) | |
| tree | a273845d1f58a3af144a1538f99199bb39013fcc /doc | |
| parent | add extra line in the busybox script (diff) | |
| download | lxc-81810dd120291b78daf7c6833e6fcbca0289aad5.tar.gz lxc-81810dd120291b78daf7c6833e6fcbca0289aad5.tar.bz2 lxc-81810dd120291b78daf7c6833e6fcbca0289aad5.zip | |
drop capabilities
Hello everyone!
I've written a patch which adds a new config keyword
'lxc.cap.drop'. This keyword allows to specify capabilities which are
dropped before executing the container binary.
Example:
lxc.cap.drop = sys_chroot
lxc.cap.drop = mknod
lxc.cap.drop = sys_module
or specify in a single line:
lxc.cap.drop = sys_chroot mknod sys_module
Reworked-by: Daniel Lezcano <daniel.lezcano@free.fr>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Michael Holzt <lxc@my.fqdn.org>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/lxc.conf.sgml.in | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index 4258885..c0c8bb1 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -421,6 +421,36 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA </variablelist> </refsect2> + <refsect2> + <title>Capabilities</title> + <para> + The capabilities can be dropped in the container if this one + is run as root. + </para> + <variablelist> + <varlistentry> + <term> + <option>lxc.cap.drop</option> + </term> + <listitem> + <para> + Specify the capability to be dropped in the + container. The format is the lower case of the + capability definition without the "CAP_" prefix, + eg. CAP_SYS_MODULE should be specified as + sys_module. See + <citerefentry> + <refentrytitle><command>capabilities</command></refentrytitle> + <manvolnum>7</manvolnum>. A single line defining + several capabilities with a space separation is + allowed. + </citerefentry>, + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + </refsect1> <refsect1> @@ -639,6 +669,14 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA <term>lxc.rootfs = /mnt/rootfs.complex</term> <listitem><para></para></listitem> </varlistentry> + <varlistentry> + <term>lxc.cap.drop = sys_module mknod setuid net_raw</term> + <listitem><para></para></listitem> + </varlistentry> + <varlistentry> + <term>lxc.cap.drop = mac_override</term> + <listitem><para></para></listitem> + </varlistentry> </variablelist> </refsect2> |