don't force dropping capabilities in lxc-init

Commit 0af683cf added clearing of capabilities to lxc-init, but only after lxc_setup_fs() was done, likely so that the mounting done in that routine wouldn't fail. However, in my testing lxc_caps_reset() wasn't really effective anyway since it did not clear the bounding set. Adding prctl PR_CAPBSET_DROP in a loop from 0 to CAP_LAST_CAP would fix this, but I don't think its necessary to forcefully clear all capabilities since users can now specify lxc.cap.keep = none to drop all capabilities. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

don't force dropping capabilities in lxc-init
58558042 · Dwight Engen · Stéphane Graber · 99e616a6 · 58558042 · 58558042
Commit 58558042 authored Jun 19, 2014 by Dwight Engen Committed by Stéphane Graber Jun 20, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 29 deletions

caps.c src/lxc/caps.c +0 -19

caps.h src/lxc/caps.h +0 -4

lxc_init.c src/lxc/lxc_init.c +0 -6

No files found.
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -41,25 +41,6 @@ lxc_log_define(lxc_caps, lxc);
 #define PR_CAPBSET_READ 23
 #endif
-int lxc_caps_reset(void)
-{
-	cap_t cap = cap_init();
-	int ret = 0;
-	if (!cap) {
-		ERROR("cap_init() failed : %m");
-		return -1;
-	}
-	if (cap_set_proc(cap)) {
-		ERROR("cap_set_proc() failed : %m");
-		ret = -1;
-	}
-	cap_free(cap);
-	return ret;
-}
 int lxc_caps_down(void)
 {
 	cap_t caps;

--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -26,16 +26,12 @@
 #define __LXC_CAPS_H
 #if HAVE_SYS_CAPABILITY_H
-extern int lxc_caps_reset(void);
 extern int lxc_caps_down(void);
 extern int lxc_caps_up(void);
 extern int lxc_caps_init(void);
 extern int lxc_caps_last_cap(void);
 #else
-static inline int lxc_caps_reset(void) {
-        return 0;
-}
 static inline int lxc_caps_down(void) {
        return 0;
 }

--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -104,9 +104,6 @@ int main(int argc, char *argv[])
 		}
 	}
-	if (lxc_caps_init())
-		exit(EXIT_FAILURE);
 	err = lxc_log_init(name, name ? NULL : "none", logpriority,
 			   basename(argv[0]), quiet, lxcpath);
 	if (err < 0)
@@ -168,9 +165,6 @@ int main(int argc, char *argv[])
 	lxc_setup_fs();
-	if (lxc_caps_reset())
-		exit(EXIT_FAILURE);
 	pid = fork();
 	if (pid < 0)