nspawn: add audit caps to default set to keep
Due to the brokeness of much of the userspace audit code we cannot really start too many systems without the audit caps set. To make nspawn easier to use just add the audit caps by default. To boot up containers successfully the kernel's auditing needs to be turned off still (use "audit=0" on the kernel command line), but at least no manual caps have to be passed anymore. In the long run auditing will be fixed for containers and ve virtualized properly at which time it should be safe to enable these caps anyway.
This commit is contained in:
Lennart Poettering
parent
96cde13ace
commit
88d04e31ce
|
|
@ -227,8 +227,8 @@
|
|||
list of capability names, see
|
||||
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
for more information. Note that the
|
||||
following capabilities will be
|
||||
granted in any way: CAP_CHOWN,
|
||||
following capabilities will be granted
|
||||
in any way: CAP_CHOWN,
|
||||
CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
|
||||
CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
|
||||
CAP_KILL, CAP_LEASE,
|
||||
|
|
@ -239,7 +239,9 @@
|
|||
CAP_SETUID, CAP_SYS_ADMIN,
|
||||
CAP_SYS_CHROOT, CAP_SYS_NICE,
|
||||
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
|
||||
CAP_SYS_RESOURCE, CAP_SYS_BOOT.</para></listitem>
|
||||
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
|
||||
CAP_AUDIT_WRITE,
|
||||
CAP_AUDIT_CONTROL.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
|
|||
|
|
@ -96,7 +96,9 @@ static uint64_t arg_retain =
|
|||
(1ULL << CAP_SYS_PTRACE) |
|
||||
(1ULL << CAP_SYS_TTY_CONFIG) |
|
||||
(1ULL << CAP_SYS_RESOURCE) |
|
||||
(1ULL << CAP_SYS_BOOT);
|
||||
(1ULL << CAP_SYS_BOOT) |
|
||||
(1ULL << CAP_AUDIT_WRITE) |
|
||||
(1ULL << CAP_AUDIT_CONTROL);
|
||||
|
||||
static int help(void) {
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue