[lxc-devel] [PATCH] templates: deny writes to host's clock
Don't allow write to /dev/rtc0, and remove sys_time (in any templates
which drop any capabilities)
Reported-by: Christoph Mitasch
Signed-off-by: Serge Hallyn
---
templates/lxc-alpine.in | 2 +-
templates/lxc-archlinux.in| 2 +-
templates/lxc-debian.in | 2 +-
templates/lxc-fedora.in | 2 +-
templates/lxc-opensuse.in | 4 ++--
templates/lxc-ubuntu-cloud.in | 4 ++--
templates/lxc-ubuntu.in | 4 ++--
7 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 962d274..bb7cdb3 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# mounts point
lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index ed5fb46..98d5424 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -127,7 +127,7 @@ lxc.tty=1
lxc.pts=1024
lxc.rootfs=${rootfs_path}
lxc.mount=${config_path}/fstab
-lxc.cap.drop=mknod sys_module mac_admin mac_override
+lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
lxc.kmsg=0
lxc.stopsignal=SIGRTMIN+4
#networking
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 568bc2c..efb3e04 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# mounts point
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 6f31e99..7dc4516 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat < $config_path/fstab
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index af92cf5..7d3dd1c 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -275,7 +275,7 @@ lxc.autodev=1
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod
+lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat < $path/fstab
diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
index d60f2c7..9f5cf19 100644
--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -55,7 +55,7 @@ lxc.pts = 1024
lxc.utsname = $name
lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 7100acc..37a1b9c 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -378,7 +378,7 @@ lxc.pts = 1024
lxc.utsname = $name
lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
--
1.8.1.2
--
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] templates: deny writes to host's clock
On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> Don't allow write to /dev/rtc0, and remove sys_time (in any templates
> which drop any capabilities)
>
> Reported-by: Christoph Mitasch
> Signed-off-by: Serge Hallyn
Assuming this has been tested not to prevent boot for any of the update
templates.
Acked-by: Stéphane Graber
> ---
> templates/lxc-alpine.in | 2 +-
> templates/lxc-archlinux.in| 2 +-
> templates/lxc-debian.in | 2 +-
> templates/lxc-fedora.in | 2 +-
> templates/lxc-opensuse.in | 4 ++--
> templates/lxc-ubuntu-cloud.in | 4 ++--
> templates/lxc-ubuntu.in | 4 ++--
> 7 files changed, 10 insertions(+), 10 deletions(-)
>
> diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> index 962d274..bb7cdb3 100644
> --- a/templates/lxc-alpine.in
> +++ b/templates/lxc-alpine.in
> @@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>
> # mounts point
> lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> index ed5fb46..98d5424 100644
> --- a/templates/lxc-archlinux.in
> +++ b/templates/lxc-archlinux.in
> @@ -127,7 +127,7 @@ lxc.tty=1
> lxc.pts=1024
> lxc.rootfs=${rootfs_path}
> lxc.mount=${config_path}/fstab
> -lxc.cap.drop=mknod sys_module mac_admin mac_override
> +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
> lxc.kmsg=0
> lxc.stopsignal=SIGRTMIN+4
> #networking
> diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> index 568bc2c..efb3e04 100644
> --- a/templates/lxc-debian.in
> +++ b/templates/lxc-debian.in
> @@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
>
> # mounts point
> lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 6f31e99..7dc4516 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
> EOF
>
> cat < $config_path/fstab
> diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> index af92cf5..7d3dd1c 100644
> --- a/templates/lxc-opensuse.in
> +++ b/templates/lxc-opensuse.in
> @@ -275,7 +275,7 @@ lxc.autodev=1
> lxc.tty = 4
> lxc.pts = 1024
> lxc.mount = $path/fstab
> -lxc.cap.drop = sys_module mac_admin mac_override mknod
> +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
>
> # When using LXC with apparmor, uncomment the next line to run unconfined:
> #lxc.aa_profile = unconfined
> @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
> EOF
>
> cat < $path/fstab
> diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> index d60f2c7..9f5cf19 100644
> --- a/templates/lxc-ubuntu-cloud.in
> +++ b/templates/lxc-ubuntu-cloud.in
> @@ -55,7 +55,7 @@ lxc.pts = 1024
>
> lxc.utsname = $name
> lxc.arch = $arch
> -lxc.cap.drop = sys_module mac_admin mac_override
> +lxc.cap.drop = sys_module mac_admin mac_override sys_time
>
> # When using LXC with apparmor, uncomment the next line to run unconfined:
> #lxc.aa_profile = unconfined
> @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
> # fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> # tun
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 7100acc..37a1b9c 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -378,7 +378,7 @@ lxc.pts = 1024
>
> lxc.utsname = $name
> lxc.arch = $arch
> -lxc.cap.drop = sys_module mac_admin mac_override
> +lxc.cap.drop = sys_module mac_admin mac_override sys_time
>
> # When using LXC with apparmor, uncomment the next line to run unconfined:
> #lxc.aa_profile = unconfined
> @@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> lxc.cgroup.devices.allow = c 136:* rwm
> lxc.cgroup.devices.allow = c 5:2 rwm
> # rtc
> -lxc.cgroup.devices.allow = c 254:0 rwm
> +lxc.cgroup.devices.allow = c 254:0 rm
> # fuse
> lxc.cgroup.devices.allow = c 10:229 rwm
> # tun
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
-
Re: [lxc-devel] [PATCH] templates: deny writes to host's clock
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> > Don't allow write to /dev/rtc0, and remove sys_time (in any templates
> > which drop any capabilities)
> >
> > Reported-by: Christoph Mitasch
> > Signed-off-by: Serge Hallyn
>
> Assuming this has been tested not to prevent boot for any of the update
> templates.
>
> Acked-by: Stéphane Graber
I didn't test all of them, only ubuntu.
If anything fails to boot because of inability to mess with host's
clock, that will be interesting :) I'll test whatever ones I can
(i.e. not sure all of them work) before pushing.
>
> > ---
> > templates/lxc-alpine.in | 2 +-
> > templates/lxc-archlinux.in| 2 +-
> > templates/lxc-debian.in | 2 +-
> > templates/lxc-fedora.in | 2 +-
> > templates/lxc-opensuse.in | 4 ++--
> > templates/lxc-ubuntu-cloud.in | 4 ++--
> > templates/lxc-ubuntu.in | 4 ++--
> > 7 files changed, 10 insertions(+), 10 deletions(-)
> >
> > diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> > index 962d274..bb7cdb3 100644
> > --- a/templates/lxc-alpine.in
> > +++ b/templates/lxc-alpine.in
> > @@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >
> > # mounts point
> > lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> > index ed5fb46..98d5424 100644
> > --- a/templates/lxc-archlinux.in
> > +++ b/templates/lxc-archlinux.in
> > @@ -127,7 +127,7 @@ lxc.tty=1
> > lxc.pts=1024
> > lxc.rootfs=${rootfs_path}
> > lxc.mount=${config_path}/fstab
> > -lxc.cap.drop=mknod sys_module mac_admin mac_override
> > +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
> > lxc.kmsg=0
> > lxc.stopsignal=SIGRTMIN+4
> > #networking
> > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> > index 568bc2c..efb3e04 100644
> > --- a/templates/lxc-debian.in
> > +++ b/templates/lxc-debian.in
> > @@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >
> > # mounts point
> > lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> > index 6f31e99..7dc4516 100644
> > --- a/templates/lxc-fedora.in
> > +++ b/templates/lxc-fedora.in
> > @@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > EOF
> >
> > cat < $config_path/fstab
> > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> > index af92cf5..7d3dd1c 100644
> > --- a/templates/lxc-opensuse.in
> > +++ b/templates/lxc-opensuse.in
> > @@ -275,7 +275,7 @@ lxc.autodev=1
> > lxc.tty = 4
> > lxc.pts = 1024
> > lxc.mount = $path/fstab
> > -lxc.cap.drop = sys_module mac_admin mac_override mknod
> > +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
> >
> > # When using LXC with apparmor, uncomment the next line to run unconfined:
> > #lxc.aa_profile = unconfined
> > @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > EOF
> >
> > cat < $path/fstab
> > diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> > index d60f2c7..9f5cf19 100644
> > --- a/templates/lxc-ubuntu-cloud.in
> > +++ b/templates/lxc-ubuntu-cloud.in
> > @@ -55,7 +55,7 @@ lxc.pts = 1024
> >
> > lxc.utsname = $name
> > lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >
> > # When using LXC with apparmor, uncomment the next line to run unconfined:
> > #lxc.aa_profile = unconfined
> > @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> > lxc.cgroup.devices.allow = c 136:* rwm
> > lxc.cgroup.devices.allow = c 5:2 rwm
> > # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> > # fuse
> > lxc.cgroup.devices.allow = c 10:229 rwm
> > # tun
> > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> > index 7100acc..37a1b9c 100644
> > --- a/templates/lxc-ubuntu.in
> > +++ b/templates/lxc-ubuntu.in
> > @@ -378,7 +378,7 @@ lxc.pts = 1024
> >
> > lxc.utsname = $name
> > lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >
> > # When using LX
Re: [lxc-devel] [PATCH] templates: deny writes to host's clock
On Wed, 1 May 2013 10:54:10 -0500 Serge Hallyn wrote: > Quoting Stéphane Graber (stgra...@ubuntu.com): > > On 05/01/2013 06:51 AM, Serge Hallyn wrote: > > > Don't allow write to /dev/rtc0, and remove sys_time (in any > > > templates which drop any capabilities) > > > > > > Reported-by: Christoph Mitasch > > > Signed-off-by: Serge Hallyn > > > > Assuming this has been tested not to prevent boot for any of the > > update templates. > > > > Acked-by: Stéphane Graber > > I didn't test all of them, only ubuntu. > > If anything fails to boot because of inability to mess with host's > clock, that will be interesting :) I'll test whatever ones I can > (i.e. not sure all of them work) before pushing. Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the containers still booted but /sbin/hwclock complained which is why it got commented out from the initscripts. Other than that removing /dev/rtc0 completely hasn't seemed to have any ill side effects. -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] templates: deny writes to host's clock
Quoting Dwight Engen (dwight.en...@oracle.com): > On Wed, 1 May 2013 10:54:10 -0500 > Serge Hallyn wrote: > > > Quoting Stéphane Graber (stgra...@ubuntu.com): > > > On 05/01/2013 06:51 AM, Serge Hallyn wrote: > > > > Don't allow write to /dev/rtc0, and remove sys_time (in any > > > > templates which drop any capabilities) > > > > > > > > Reported-by: Christoph Mitasch > > > > Signed-off-by: Serge Hallyn > > > > > > Assuming this has been tested not to prevent boot for any of the > > > update templates. > > > > > > Acked-by: Stéphane Graber > > > > I didn't test all of them, only ubuntu. > > > > If anything fails to boot because of inability to mess with host's > > clock, that will be interesting :) I'll test whatever ones I can > > (i.e. not sure all of them work) before pushing. > > Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the > containers still booted but /sbin/hwclock complained which is why it > got commented out from the initscripts. Other than that removing > /dev/rtc0 completely hasn't seemed to have any ill side effects. Well, now I don't know. My patch only removed sys_time from templates already removing capabilities. I'm not sure that's right. I'm going to change it to remove it from all templates (as well as sys_module, mac_admin, and mac_override). The template doesn't get to decide how it can hose my host... -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] templates: deny writes to host's clock
Quoting Serge Hallyn (serge.hal...@ubuntu.com): > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Wed, 1 May 2013 10:54:10 -0500 > > Serge Hallyn wrote: > > > > > Quoting Stéphane Graber (stgra...@ubuntu.com): > > > > On 05/01/2013 06:51 AM, Serge Hallyn wrote: > > > > > Don't allow write to /dev/rtc0, and remove sys_time (in any > > > > > templates which drop any capabilities) > > > > > > > > > > Reported-by: Christoph Mitasch > > > > > Signed-off-by: Serge Hallyn > > > > > > > > Assuming this has been tested not to prevent boot for any of the > > > > update templates. > > > > > > > > Acked-by: Stéphane Graber > > > > > > I didn't test all of them, only ubuntu. > > > > > > If anything fails to boot because of inability to mess with host's > > > clock, that will be interesting :) I'll test whatever ones I can > > > (i.e. not sure all of them work) before pushing. > > > > Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the > > containers still booted but /sbin/hwclock complained which is why it > > got commented out from the initscripts. Other than that removing > > /dev/rtc0 completely hasn't seemed to have any ill side effects. > > Well, now I don't know. My patch only removed sys_time from templates > already removing capabilities. I'm not sure that's right. I'm going > to change it to remove it from all templates (as well as sys_module, > mac_admin, > and mac_override). The template doesn't get to decide how it can hose my > host... Alternatively I suppose we could recommend distributions add a reasonable lxc.cap.drop to /etc/lxc/default.conf. I.e., it would go more along with installation of apparmor and selinux profiles. -- Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] templates: deny writes to host's clock (v2)
Don't allow write to /dev/rtc0, and remove sys_time.
Thanks, Christoph.
v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.
Reported-by: Christoph Mitasch
Signed-off-by: Serge Hallyn
---
templates/lxc-alpine.in | 3 ++-
templates/lxc-altlinux.in | 1 +
templates/lxc-archlinux.in| 2 +-
templates/lxc-busybox.in | 1 +
templates/lxc-debian.in | 3 ++-
templates/lxc-fedora.in | 3 ++-
templates/lxc-opensuse.in | 4 ++--
templates/lxc-sshd.in | 1 +
templates/lxc-ubuntu-cloud.in | 4 ++--
templates/lxc-ubuntu.in | 4 ++--
10 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 962d274..98347ed 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -109,6 +109,7 @@ EOF
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -129,7 +130,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# mounts point
lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index da66ae7..cce214c 100644
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -243,6 +243,7 @@ lxc.utsname = $name
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index ed5fb46..98d5424 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -127,7 +127,7 @@ lxc.tty=1
lxc.pts=1024
lxc.rootfs=${rootfs_path}
lxc.mount=${config_path}/fstab
-lxc.cap.drop=mknod sys_module mac_admin mac_override
+lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
lxc.kmsg=0
lxc.stopsignal=SIGRTMIN+4
#networking
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 2ca2bfd..81e9566 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -261,6 +261,7 @@ cat <> $path/config
lxc.utsname = $name
lxc.tty = 1
lxc.pts = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 568bc2c..d4ea3de 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -218,6 +218,7 @@ copy_configuration()
lxc.tty = 4
lxc.pts = 1024
lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -237,7 +238,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
# mounts point
lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 6f31e99..59f453b 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -252,6 +252,7 @@ lxc.utsname = $name
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -272,7 +273,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat < $config_path/fstab
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index af92cf5..7d3dd1c 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -275,7 +275,7 @@ lxc.autodev=1
lxc.tty = 4
lxc.pts = 1024
lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod
+lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
@@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
EOF
cat < $path/fstab
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index b704723..2927c92 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -112,6 +112,7 @@ copy_configuration()
cat <> $path/config
lxc.utsname = $name
lxc.pts = 1024
+lxc.cap.
[lxc-devel] [PATCH] allow lxc-init to log when rootfs not given
On Mon, 29 Apr 2013 14:44:47 -0500
Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com):
> > So I did this, only to realize that lxc-init is passing "none" for
> > the file anyway, so it currently doesn't intend to log. This makes
> > me think that passing NULL for lxcpath is the right thing to do in
> > this patch. If you want me to make it so lxc-init can log, I can do
> > that but I think it should be in a different change :)
>
> That actually would be very useful, but as you say that's a different
> feature - thanks.
... and here is said change.
---
fixed leak in error case in execute_start(), made lxc_log_init()
safe to call with NULL lxcpath.
Signed-off-by: Dwight Engen
---
src/lxc/execute.c | 27 ++
src/lxc/log.c | 3 +++
src/lxc/lxc_init.c | 68 +++---
3 files changed, 75 insertions(+), 23 deletions(-)
diff --git a/src/lxc/execute.c b/src/lxc/execute.c
index c1f6526..d93e8e1 100644
--- a/src/lxc/execute.c
+++ b/src/lxc/execute.c
@@ -27,6 +27,7 @@
#include
#include
+#include "conf.h"
#include "log.h"
#include "start.h"
@@ -85,23 +86,37 @@ static int execute_start(struct lxc_handler *handler, void*
data)
int j, i = 0;
struct execute_args *my_args = data;
char **argv;
- int argc = 0;
+ int argc = 0, argc_add;
char *initpath;
while (my_args->argv[argc++]);
- argv = malloc((argc + my_args->quiet ? 5 : 4) * sizeof(*argv));
+ argc_add = 4;
+ if (my_args->quiet)
+ argc_add++;
+ if (!handler->conf->rootfs.path)
+ argc_add+=6;
+
+ argv = malloc((argc + argc_add) * sizeof(*argv));
if (!argv)
- return 1;
+ goto out1;
initpath = choose_init();
if (!initpath) {
ERROR("Failed to find an lxc-init");
- return 1;
+ goto out2;
}
argv[i++] = initpath;
if (my_args->quiet)
argv[i++] = "--quiet";
+ if (!handler->conf->rootfs.path) {
+ argv[i++] = "--name";
+ argv[i++] = (char *)handler->name;
+ argv[i++] = "--lxcpath";
+ argv[i++] = (char *)handler->lxcpath;
+ argv[i++] = "--logpriority";
+ argv[i++] = (char
*)lxc_log_priority_to_string(lxc_log_get_level());
+ }
argv[i++] = "--";
for (j = 0; j < argc; j++)
argv[i++] = my_args->argv[j];
@@ -111,6 +126,10 @@ static int execute_start(struct lxc_handler *handler,
void* data)
execvp(argv[0], argv);
SYSERROR("failed to exec %s", argv[0]);
+ free(initpath);
+out2:
+ free(argv);
+out1:
return 1;
}
diff --git a/src/lxc/log.c b/src/lxc/log.c
index 8d87a51..d49a544 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -318,6 +318,9 @@ extern int lxc_log_init(const char *name, const char *file,
} else {
ret = -1;
+ if (!lxcpath)
+ lxcpath = LOGPATH;
+
/* try LOGPATH if lxcpath is the default */
if (strcmp(lxcpath, default_lxc_path()) == 0)
ret = _lxc_log_set_file(name, NULL, 0);
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 663875b..f772f0d 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -43,7 +43,10 @@ lxc_log_define(lxc_init, lxc);
static int quiet;
static struct option options[] = {
- { "quiet", no_argument, &quiet, 1 },
+ { "name",required_argument, NULL, 'n' },
+ { "logpriority", required_argument, NULL, 'l' },
+ { "quiet", no_argument, NULL, 'q' },
+ { "lxcpath", required_argument, NULL, 'P' },
{ 0, 0, 0, 0 },
};
@@ -55,39 +58,66 @@ static void interrupt_handler(int sig)
was_interrupted = sig;
}
+static void usage(void) {
+ fprintf(stderr, "Usage: lxc-init [OPTION]...\n\n"
+ "Common options :\n"
+ " -n, --name=NAME NAME for name of the container\n"
+ " -l, --logpriority=LEVEL Set log priority to LEVEL\n"
+ " -q, --quiet Don't produce any output\n"
+ " -P, --lxcpath=PATH Use specified container path\n"
+ " -?, --help Give this help list\n"
+ "\n"
+ "Mandatory or optional arguments to long options are also
mandatory or optional\n"
+ "for any corresponding short options.\n"
+ "\n"
+ "NOTE: lxc-init is intended for use by lxc internally\n"
+ " and does not need to be run by hand\n\n");
+}
+
int main(int argc, char *argv[])
{
pid_t pid;
- int nbargs = 0;
- int err = -1;
+ int err;
char **aargv;
sigset_t mask, omask;
int i, have_status = 0, shutdown = 0;
+
[lxc-devel] [PATCH] clone: a few fixes
clean up error case in clone, which in particular could cause double
lxc_container_put(c2)
for overlayfs, handle (with error message) all bdev types.
Signed-off-by: Serge Hallyn
---
src/lxc/bdev.c | 11 ++-
src/lxc/lxccontainer.c | 25 +++--
2 files changed, 13 insertions(+), 23 deletions(-)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index 1de302f..9408918 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -1186,11 +1186,6 @@ static int overlayfs_clonepaths(struct bdev *orig,
struct bdev *new, const char
free(delta);
if (ret < 0 || ret >= len)
return -ENOMEM;
- } else if (strcmp(orig->type, "lvm") == 0) {
- ERROR("overlayfs clone of lvm container is not yet supported");
- // Note, supporting this will require overlayfs_mount supporting
- // mounting of the underlay. No big deal, just needs to be
done.
- return -1;
} else if (strcmp(orig->type, "overlayfs") == 0) {
// What exactly do we want to do here?
// I think we want to use the original lowerdir, with a
@@ -1228,6 +1223,12 @@ static int overlayfs_clonepaths(struct bdev *orig,
struct bdev *new, const char
free(ndelta);
if (ret < 0 || ret >= len)
return -ENOMEM;
+ } else {
+ ERROR("overlayfs clone of %s container is not yet supported",
+ orig->type);
+ // Note, supporting this will require overlayfs_mount supporting
+ // mounting of the underlay. No big deal, just needs to be
done.
+ return -1;
}
return 0;
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 10f188e..452323c 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1477,7 +1477,7 @@ struct lxc_container *lxcapi_clone(struct lxc_container
*c, const char *newname,
}
c2 = lxc_container_new(n, l);
- if (!c) {
+ if (!c2) {
ERROR("clone: failed to create new container (%s %s)", n, l);
goto out;
}
@@ -1487,16 +1487,12 @@ struct lxc_container *lxcapi_clone(struct lxc_container
*c, const char *newname,
ret = copyhooks(c, c2);
if (ret < 0) {
ERROR("error copying hooks");
- c2->destroy(c2);
- lxc_container_put(c2);
goto out;
}
}
if (copy_fstab(c, c2) < 0) {
ERROR("error copying fstab");
- c2->destroy(c2);
- lxc_container_put(c2);
goto out;
}
@@ -1506,23 +1502,14 @@ struct lxc_container *lxcapi_clone(struct lxc_container
*c, const char *newname,
// copy/snapshot rootfs's
ret = copy_storage(c, c2, bdevtype, flags, bdevdata, newsize);
- if (ret < 0) {
- c2->destroy(c2);
- lxc_container_put(c2);
+ if (ret < 0)
goto out;
- }
- if (!c2->save_config(c2, NULL)) {
- c2->destroy(c2);
- lxc_container_put(c2);
+ if (!c2->save_config(c2, NULL))
goto out;
- }
- if (clone_update_rootfs(c2, flags) < 0) {
- //c2->destroy(c2);
- lxc_container_put(c2);
+ if (clone_update_rootfs(c2, flags) < 0)
goto out;
- }
// TODO: update c's lxc.snapshot = count
lxcunlock(c->privlock);
@@ -1530,8 +1517,10 @@ struct lxc_container *lxcapi_clone(struct lxc_container
*c, const char *newname,
out:
lxcunlock(c->privlock);
- if (c2)
+ if (c2) {
+ c2->destroy(c2);
lxc_container_put(c2);
+ }
return NULL;
}
--
1.7.9.5
--
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
