Re: [lxc-devel] [PATCH] templates: deny writes to host's clock

Stéphane Graber Wed, 01 May 2013 08:35:25 -0700

On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> Don't allow write to /dev/rtc0, and remove sys_time (in any templates
> which drop any capabilities)
> 
> Reported-by: Christoph Mitasch <cmita...@thomas-krenn.com>
> Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>


Assuming this has been tested not to prevent boot for any of the update
templates.

Acked-by: Stéphane Graber <stgra...@ubuntu.com>

> ---
>  templates/lxc-alpine.in       | 2 +-
>  templates/lxc-archlinux.in    | 2 +-
>  templates/lxc-debian.in       | 2 +-
>  templates/lxc-fedora.in       | 2 +-
>  templates/lxc-opensuse.in     | 4 ++--
>  templates/lxc-ubuntu-cloud.in | 4 ++--
>  templates/lxc-ubuntu.in       | 4 ++--
>  7 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 962d274..bb7cdb3 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  
>  # mounts point
>  lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> index ed5fb46..98d5424 100644
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -127,7 +127,7 @@ lxc.tty=1
>  lxc.pts=1024
>  lxc.rootfs=${rootfs_path}
>  lxc.mount=${config_path}/fstab
> -lxc.cap.drop=mknod sys_module mac_admin mac_override
> +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
>  lxc.kmsg=0
>  lxc.stopsignal=SIGRTMIN+4
>  #networking
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index 568bc2c..efb3e04 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  
>  # mounts point
>  lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 6f31e99..7dc4516 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  EOF
>  
>      cat <<EOF > $config_path/fstab
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index af92cf5..7d3dd1c 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -275,7 +275,7 @@ lxc.autodev=1
>  lxc.tty = 4
>  lxc.pts = 1024
>  lxc.mount = $path/fstab
> -lxc.cap.drop = sys_module mac_admin mac_override mknod
> +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  EOF
>  
>      cat <<EOF > $path/fstab
> diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> index d60f2c7..9f5cf19 100644
> --- a/templates/lxc-ubuntu-cloud.in
> +++ b/templates/lxc-ubuntu-cloud.in
> @@ -55,7 +55,7 @@ lxc.pts = 1024
>  
>  lxc.utsname = $name
>  lxc.arch = $arch
> -lxc.cap.drop = sys_module mac_admin mac_override
> +lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  # fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
>  # tun
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 7100acc..37a1b9c 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -378,7 +378,7 @@ lxc.pts = 1024
>  
>  lxc.utsname = $name
>  lxc.arch = $arch
> -lxc.cap.drop = sys_module mac_admin mac_override
> +lxc.cap.drop = sys_module mac_admin mac_override sys_time
>  
>  # When using LXC with apparmor, uncomment the next line to run unconfined:
>  #lxc.aa_profile = unconfined
> @@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
>  lxc.cgroup.devices.allow = c 136:* rwm
>  lxc.cgroup.devices.allow = c 5:2 rwm
>  # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>  # fuse
>  lxc.cgroup.devices.allow = c 10:229 rwm
>  # tun
> 


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] templates: deny writes to host's clock

Reply via email to