From e646f5b20a7be85025ba7530fb6585021af8df58 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 14 Jul 2021 23:20:24 +0200 Subject: [PATCH] Rework old article --- ...ntainers.md => 2021-07-14-lxc-drop-capsysadmin.md} | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) rename _posts/{2017-08-22-hardening-lxc-containers.md => 2021-07-14-lxc-drop-capsysadmin.md} (95%) diff --git a/_posts/2017-08-22-hardening-lxc-containers.md b/_posts/2021-07-14-lxc-drop-capsysadmin.md similarity index 95% rename from _posts/2017-08-22-hardening-lxc-containers.md rename to _posts/2021-07-14-lxc-drop-capsysadmin.md index fab1699..de05a3e 100644 --- a/_posts/2017-08-22-hardening-lxc-containers.md +++ b/_posts/2021-07-14-lxc-drop-capsysadmin.md @@ -1,10 +1,9 @@ --- layout: post -slug: hardening-lxc-containers-running-systemd +slug: lxc-drop-capsysadmin status: published sitemap: true -title: Some LXC hardening -description: An epic trying to drop CAP\_SYS\_ADMIN +title: Dropping CAP_SYS_ADMIN in LXC category: developpement tags: - security @@ -147,14 +146,16 @@ lxc.hook.mount = /usr/local/bin/mount-cgroup And now, your container is working ! But instead of creating a capabilities blacklist, can we create a capabilities whitelist ? +Yes, we can: ```ini lxc.cap.keep = lxc.cap.keep = chown ipc_lock ipc_owner kill net_admin net_bind_service ``` -You can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). +If you want to dig the question further, you can find the whole capability list in the dedicated man page [capabilities(7)](http://man7.org/linux/man-pages/man7/capabilities.7.html) and how to use them with LXC in the LXC man page [lxc.container.conf(5)](https://linuxcontainers.org/fr/lxc/manpages//man5/lxc.container.conf.5.html#lbAV). Have fun! +