Rework old article

This commit is contained in:
Quentin 2021-07-14 23:20:24 +02:00
parent 3ac63015ee
commit e646f5b20a
Signed by untrusted user: quentin
GPG key ID: A98E9B769E4FF428

View file

@ -1,10 +1,9 @@
--- ---
layout: post layout: post
slug: hardening-lxc-containers-running-systemd slug: lxc-drop-capsysadmin
status: published status: published
sitemap: true sitemap: true
title: Some LXC hardening title: Dropping CAP_SYS_ADMIN in LXC
description: An epic trying to drop CAP\_SYS\_ADMIN
category: developpement category: developpement
tags: tags:
- security - security
@ -147,14 +146,16 @@ lxc.hook.mount = /usr/local/bin/mount-cgroup
And now, your container is working ! And now, your container is working !
But instead of creating a capabilities blacklist, can we create a capabilities whitelist ? But instead of creating a capabilities blacklist, can we create a capabilities whitelist ?
Yes, we can:
```ini ```ini
lxc.cap.keep = lxc.cap.keep =
lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service
``` ```
You can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). If you want to dig the question further, you can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). Have fun!
<!--
## cgroups: group your processes ## cgroups: group your processes
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition: [Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
@ -174,4 +175,4 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. > The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
-->