Remove capng_lock() call when spawning LXC container init process
The capng_lock() call sets the SECURE_NO_SETUID_FIXUP and SECURE_NOROOT bits on the process. This prevents the kernel granting capabilities to processes with an effective UID of 0, or with setuid programs. This is not actually what we want in the container init process. It should be allowed to run setuid processes & keep capabilities when root. All that is required is masking a handful of dangerous capabilities from the bounding set. * src/lxc/lxc_container.c: Remove bogus capng_lock() call.
Showing
想要评论请 注册 或 登录