Comment 7 for bug 1576341
Revision history for this message
| Stéphane Graber (stgraber) wrote Re: fails in lxd container | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
LXC doesn't drop many capabilities, we only really drop mac_admin, mac_override, sys_time, sys_module and sys_rawio.
That's because we do run workloads which do need the other capabilities, including cap_sys_admin.
Now in an unprivileged container, having those capabilities will only do you good against resources owned by the container and will (obviously) not let you gain any more rights than you had as the owning uid prior to entering the container.
So you absolutely do have cap_sys_admin and it will let you do a bunch of things against the network devices owned by your container or mount entries owned by the container, ... but it will not let you mess with things that aren't namespaced and that you wouldn't be allowed to touch as a normal unprivileged user.
The kernel has a nice ns_capable(ns, CAP) function which lets you check whether you do have the named capability against a given resource, I'm not aware of a userspace equivalent though.
Having us drop a bunch of capabilities is the wrong answer though and we won't be doing that.