Quoting Stéphane Graber (stgra...@ubuntu.com):
> On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> > Don't allow write to /dev/rtc0, and remove sys_time (in any templates
> > which drop any capabilities)
> >
> > Reported-by: Christoph Mitasch <cmita...@thomas-krenn.com>
> > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
>
> Assuming this has been tested not to prevent boot for any of the update
> templates.
>
> Acked-by: Stéphane Graber <stgra...@ubuntu.com>
I didn't test all of them, only ubuntu.
If anything fails to boot because of inability to mess with host's
clock, that will be interesting :) I'll test whatever ones I can
(i.e. not sure all of them work) before pushing.
>
> > ---
> > templates/lxc-alpine.in | 2 +-
> > templates/lxc-archlinux.in | 2 +-
> > templates/lxc-debian.in | 2 +-
> > templates/lxc-fedora.in | 2 +-
> > templates/lxc-opensuse.in | 4 ++--
> > templates/lxc-ubuntu-cloud.in | 4 ++--
> > templates/lxc-ubuntu.in | 4 ++--
> > 7 files changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> > index 962d274..bb7cdb3 100644
> > --- a/templates/lxc-alpine.in
> > +++ b/templates/lxc-alpine.in
> > @@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >
> > # mounts point
> > lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> > index ed5fb46..98d5424 100644
> > --- a/templates/lxc-archlinux.in
> > +++ b/templates/lxc-archlinux.in
> > @@ -127,7 +127,7 @@ lxc.tty=1
> > lxc.pts=1024
> > lxc.rootfs=${rootfs_path}
> > lxc.mount=${config_path}/fstab
> > -lxc.cap.drop=mknod sys_module mac_admin mac_override
> > +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
> > lxc.kmsg=0
> > lxc.stopsignal=SIGRTMIN+4
> > #networking
> > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> > index 568bc2c..efb3e04 100644
> > --- a/templates/lxc-debian.in
> > +++ b/templates/lxc-debian.in
> > @@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >
> > # mounts point
> > lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> > index 6f31e99..7dc4516 100644
> > --- a/templates/lxc-fedora.in
> > +++ b/templates/lxc-fedora.in
> > @@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > EOF
> >
> > cat <<EOF > $config_path/fstab
> > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> > index af92cf5..7d3dd1c 100644
> > --- a/templates/lxc-opensuse.in
> > +++ b/templates/lxc-opensuse.in
> > @@ -275,7 +275,7 @@ lxc.autodev=1
> > lxc.tty = 4
> > lxc.pts = 1024
> > lxc.mount = $path/fstab
> > -lxc.cap.drop = sys_module mac_admin mac_override mknod
> > +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
> >
> > # When using LXC with apparmor, uncomment the next line to run unconfined:
> > #lxc.aa_profile = unconfined
> > @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > EOF
> >
> > cat <<EOF > $path/fstab
> > diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> > index d60f2c7..9f5cf19 100644
> > --- a/templates/lxc-ubuntu-cloud.in
> > +++ b/templates/lxc-ubuntu-cloud.in
> > @@ -55,7 +55,7 @@ lxc.pts = 1024
> >
> > lxc.utsname = $name
> > lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >
> > # When using LXC with apparmor, uncomment the next line to run unconfined:
> > #lxc.aa_profile = unconfined
> > @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > # fuse
> > lxc.cgroup.devices.allow = c 10:229 rwm
> > # tun
> > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> > index 7100acc..37a1b9c 100644
> > --- a/templates/lxc-ubuntu.in
> > +++ b/templates/lxc-ubuntu.in
> > @@ -378,7 +378,7 @@ lxc.pts = 1024
> >
> > lxc.utsname = $name
> > lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >
> > # When using LXC with apparmor, uncomment the next line to run unconfined:
> > #lxc.aa_profile = unconfined
> > @@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > # fuse
> > lxc.cgroup.devices.allow = c 10:229 rwm
> > # tun
> >
>
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
