[PATCH] Forbid invocation of kexec_load() outside initial PID namespace
Serge E. Hallyn
serge at hallyn.com
Mon Aug 6 19:20:40 UTC 2012
Quoting Serge Hallyn (serge at hallyn.com):
> during the container reboot discussion, the agreement was reached that rebooting for real fron non-init pid ns is not safe. Restarting userspace (in pidns caller owns) is. I argue the same reasoning supports this.
> I haven't had a chance to review the patch, but the idea gets my ack. I'll look at the patch asap.
> I'm also fine with splitting cap_sys_boot into a user and system caps. The former would only be needed targeted to the userns of the init pid, while the latter would be required to init_user_ns. Then containers could safely be given cap_sys_restart or whatever, but not cap_sys_boot which authorizes kexec and machine reset/poweroff.
Splitting the cap up into CAP_RESTART (restart /sbin/init) and CAP_BOOT
(reboot hardware or kexec kernel) has the advantage that the capabilities
each remain simpler to parse, no 'in this context it means that'.
More information about the Containers