Quoting Dwight Engen (dwight.en...@oracle.com): > On Wed, 1 May 2013 10:54:10 -0500 > Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > Quoting Stéphane Graber (stgra...@ubuntu.com): > > > On 05/01/2013 06:51 AM, Serge Hallyn wrote: > > > > Don't allow write to /dev/rtc0, and remove sys_time (in any > > > > templates which drop any capabilities) > > > > > > > > Reported-by: Christoph Mitasch <cmita...@thomas-krenn.com> > > > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > > > > > > Assuming this has been tested not to prevent boot for any of the > > > update templates. > > > > > > Acked-by: Stéphane Graber <stgra...@ubuntu.com> > > > > I didn't test all of them, only ubuntu. > > > > If anything fails to boot because of inability to mess with host's > > clock, that will be interesting :) I'll test whatever ones I can > > (i.e. not sure all of them work) before pushing. > > Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the > containers still booted but /sbin/hwclock complained which is why it > got commented out from the initscripts. Other than that removing > /dev/rtc0 completely hasn't seemed to have any ill side effects.
Well, now I don't know. My patch only removed sys_time from templates already removing capabilities. I'm not sure that's right. I'm going to change it to remove it from all templates (as well as sys_module, mac_admin, and mac_override). The template doesn't get to decide how it can hose my host... ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
