ISLET Supports Kernel Capabilities

[Jon Schipp]

Hello all, 

With this commit [1] ISLET easily supports setting kernel capabilities per container and globally. It introduces a new config file called security.conf which you can be used to apply capabilities via yes or no.

e.g. $ grep SYS config/security.conf 

CAP_SYSLOG="no"                     # Modify kernel printk behavior
CAP_SYS_ADMIN="no"                  # Catch all
CAP_SYS_MODULE="no"                 # Insert/remove kernel modules
CAP_SYS_PACCT="no"                  # Configure process accounting
CAP_SYS_NICE="no"                   # Modify priority of processes
CAP_SYS_RAWIO="no"                  # Modify kernel memory
CAP_SYS_RESOURCE="no"               # Override resource limits
CAP_SYS_TIME="no"                   # Modify the system clock
CAP_SYS_TTY_CONFIG="no"             # Configure tty devices
CAP_SYS_BOOT="yes"                  # Use reboot(2) and kexec_load(2)
CAP_SYS_CHROOT="yes"                # Use chroot(2)
CAP_SYS_PTRACE="yes"                # Trace arbitrary processes using ptrace(2)

[1] https://github.com/jonschipp/ISLET/commit/85faf9e7d369bd547e0e5fc4f114ebe2c222d1c6

Thanks

--

Jon Schipp, 

jonschipp.com, sickbits.net, opennsm.ncsa.illinois.edu