vo, LXC
sapriecājos par agru. lai gan jau pirms tam bija skaidrs, ka šitā manta nav diez ko droša.
> Well I just confirmed (the hard way!) that you are correct. It is possible to reboot the host from inside the container, despite CAP_SYS_REBOOT being blocked. I’ll try & figure out how that’s happening/possible…
It is obvious in retrospect. If you have a container which is sharing the host OS’s root filesystem, then it can see the host’s /dev which contains a /dev/initctrl FIFO pipe. The ‘reboot’ command can tell the host OS to shutdown via that pipe, thus lack of CAP_SYS_REBOOT is irrelevant.
Since this is a FIFO and not a blockdev/chardev we can’t use cgroups to prevent access to /dev/initctrl. The only reliable way is to wait for the kernel’s user namespace stuff.
