[PATCH] Forbid invocation of kexec_load() outside initial PID namespace

Serge E. Hallyn serge at hallyn.com
Mon Aug 6 19:20:40 UTC 2012


Quoting Serge Hallyn (serge at hallyn.com):
> Eric,
> 
> during the container reboot discussion, the agreement was reached that rebooting for real fron non-init pid ns is not safe.  Restarting userspace (in pidns caller owns) is.  I argue the same reasoning supports this.
> 
> I haven't had a chance to review the patch, but the idea gets my ack.  I'll look at the patch asap.
> 
> I'm also fine with splitting cap_sys_boot into a user and system caps.  The former would only be needed targeted to the userns of the init pid, while the latter would be required to init_user_ns.  Then containers could safely be given cap_sys_restart or whatever, but not cap_sys_boot which authorizes kexec and machine reset/poweroff.

Splitting the cap up into CAP_RESTART (restart /sbin/init) and CAP_BOOT
(reboot hardware or kexec kernel) has the advantage that the capabilities
each remain simpler to parse, no 'in this context it means that'.


More information about the Containers mailing list