Quoting Serge Hallyn (serge.hal...@ubuntu.com): > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Wed, 1 May 2013 10:54:10 -0500 > > Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > > > Quoting Stéphane Graber (stgra...@ubuntu.com): > > > > On 05/01/2013 06:51 AM, Serge Hallyn wrote: > > > > > Don't allow write to /dev/rtc0, and remove sys_time (in any > > > > > templates which drop any capabilities) > > > > > > > > > > Reported-by: Christoph Mitasch <cmita...@thomas-krenn.com> > > > > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com> > > > > > > > > Assuming this has been tested not to prevent boot for any of the > > > > update templates. > > > > > > > > Acked-by: Stéphane Graber <stgra...@ubuntu.com> > > > > > > I didn't test all of them, only ubuntu. > > > > > > If anything fails to boot because of inability to mess with host's > > > clock, that will be interesting :) I'll test whatever ones I can > > > (i.e. not sure all of them work) before pushing. > > > > Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the > > containers still booted but /sbin/hwclock complained which is why it > > got commented out from the initscripts. Other than that removing > > /dev/rtc0 completely hasn't seemed to have any ill side effects. > > Well, now I don't know. My patch only removed sys_time from templates > already removing capabilities. I'm not sure that's right. I'm going > to change it to remove it from all templates (as well as sys_module, > mac_admin, > and mac_override). The template doesn't get to decide how it can hose my > host...
Alternatively I suppose we could recommend distributions add a reasonable lxc.cap.drop to /etc/lxc/default.conf. I.e., it would go more along with installation of apparmor and selinux profiles. ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
