vserver development mailing list: re: [vserver] man pages

re: [vserver] man pages - reducecap questions:
vserver development mailing list
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]

About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 14 Nov 2002 - 03:09:09 GMT

Previous message: Jacques Gelinas: "re: [vserver] strace in ctx 1"

On Fri, 22 Feb 2002 11:25:05 -0500, klavs klavsen wrote
> Hi guys,
>
> I'm running through reducecap with strings.
>
> i can see three options (I've only found one of them mentioned in the
> docs).
>
> --secure (mentioned - removes all unsafe capabilities)
> --show (shows current capabilities)
> --flag (gives me a segmentation fault)
>
> what's the idea with --flag? what are you suppose to feed it?

Here is some doc

sets the security context flags. The option may be repeated
several times. Here are the values:

lock: The security context can't be changed. The process is trapped
in this context. This is generally used for vservers because yoy
do not want them to hide in new security context.

sched: Each process in a security context contribute (lower) to the general
        priority of every processes in the context. Mostly, all processes
        in a security context take as much CPU together as one process
        not bound to this flag. Said again differently, a vserver having
        100 active processes won't get more CPU than another vserver
        with a single active process.

nproc: The "ulimit -u N" setting becomes global to the security context. It means
the security context is not allowed to have more than N processes.

private: No other processes, even root in security context 0, is allowed to
        enter this security context. Once a security context is setup
        with this flag, it is on its own. This also means that root
        in security context 0 won't be able to kill or interact with those
        processes.

hideinfo: Hides various information in /proc. (not implemented yet)

> is it possible to define which capabilities to remove? other than just
> what secure removes? can you enter --secure (and then add extra
> capabilities to the --secure standard set?)

Yes, the following options may be used

--LINUX_IMMUTABLE
--NET_BIND_SERVICE
--NET_BROADCAST
--NET_ADMIN
--NET_RAW
--IPC_LOCK
--IPC_OWNER
--SYS_MODULE
--SYS_RAWIO
--SYS_PACCT
--SYS_ADMIN
--SYS_BOOT
--SYS_NICE
--SYS_RESOURCE
--SYS_TIME
--MKNOD

I have updated the man page.

---------------------------------------------------------
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!
http://www.solucorp.qc.ca/miscprj/s_context.hc

Previous message: Jacques Gelinas: "re: [vserver] strace in ctx 1"

About this list	Date view	Thread view	Subject view	Author view	Attachment view

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 14 Nov 2002 - 06:25:32 GMT by hypermail 2.1.3