forked from quentin/quentin.dufour.io
Rework old article
This commit is contained in:
parent
3ac63015ee
commit
e646f5b20a
1 changed files with 6 additions and 5 deletions
|
@ -1,10 +1,9 @@
|
||||||
---
|
---
|
||||||
layout: post
|
layout: post
|
||||||
slug: hardening-lxc-containers-running-systemd
|
slug: lxc-drop-capsysadmin
|
||||||
status: published
|
status: published
|
||||||
sitemap: true
|
sitemap: true
|
||||||
title: Some LXC hardening
|
title: Dropping CAP_SYS_ADMIN in LXC
|
||||||
description: An epic trying to drop CAP\_SYS\_ADMIN
|
|
||||||
category: developpement
|
category: developpement
|
||||||
tags:
|
tags:
|
||||||
- security
|
- security
|
||||||
|
@ -147,14 +146,16 @@ lxc.hook.mount = /usr/local/bin/mount-cgroup
|
||||||
And now, your container is working !
|
And now, your container is working !
|
||||||
|
|
||||||
But instead of creating a capabilities blacklist, can we create a capabilities whitelist ?
|
But instead of creating a capabilities blacklist, can we create a capabilities whitelist ?
|
||||||
|
Yes, we can:
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
lxc.cap.keep =
|
lxc.cap.keep =
|
||||||
lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service
|
lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service
|
||||||
```
|
```
|
||||||
|
|
||||||
You can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV).
|
If you want to dig the question further, you can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). Have fun!
|
||||||
|
|
||||||
|
<!--
|
||||||
## cgroups: group your processes
|
## cgroups: group your processes
|
||||||
|
|
||||||
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
|
[Wikipedia](https://en.wikipedia.org/wiki/Cgroups) proposes the following definition:
|
||||||
|
@ -174,4 +175,4 @@ Michael Kerrisk wrote an interesting [serie of articles about namespaces](https:
|
||||||
|
|
||||||
> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
|
> The purpose of each namespace is to wrap a particular global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.
|
||||||
|
|
||||||
|
-->
|
Loading…
Reference in a new issue