1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00

nspawn: add audit caps to default set to keep

Due to the brokeness of much of the userspace audit code we cannot
really start too many systems without the audit caps set. To make nspawn
easier to use just add the audit caps by default.

To boot up containers successfully the kernel's auditing needs to be
turned off still (use "audit=0" on the kernel command line), but at
least no manual caps have to be passed anymore.

In the long run auditing will be fixed for containers and ve virtualized
properly at which time it should be safe to enable these caps anyway.
This commit is contained in:
Lennart Poettering 2013-01-18 18:13:01 +01:00
parent 96cde13ace
commit 88d04e31ce
2 changed files with 8 additions and 4 deletions

View File

@ -227,8 +227,8 @@
list of capability names, see
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for more information. Note that the
following capabilities will be
granted in any way: CAP_CHOWN,
following capabilities will be granted
in any way: CAP_CHOWN,
CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
CAP_FOWNER, CAP_FSETID, CAP_IPC_OWNER,
CAP_KILL, CAP_LEASE,
@ -239,7 +239,9 @@
CAP_SETUID, CAP_SYS_ADMIN,
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT.</para></listitem>
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
CAP_AUDIT_WRITE,
CAP_AUDIT_CONTROL.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -96,7 +96,9 @@ static uint64_t arg_retain =
(1ULL << CAP_SYS_PTRACE) |
(1ULL << CAP_SYS_TTY_CONFIG) |
(1ULL << CAP_SYS_RESOURCE) |
(1ULL << CAP_SYS_BOOT);
(1ULL << CAP_SYS_BOOT) |
(1ULL << CAP_AUDIT_WRITE) |
(1ULL << CAP_AUDIT_CONTROL);
static int help(void) {