Re: [libvirt] [virt-devel] This patch removes the mknod capability from Linux Containers.
[originally posted to the wrong list]
On 11/01/2012 12:57 PM, Daniel J Walsh wrote:
0001-Linux-Containers-are-not-allowed-to-create-device-no.patch
>From 3913ef4148728430cc9df79b84d5ec44130f4ac8 Mon Sep 17 00:00:00 2001
From: rhatdan <dwalsh(a)redhat.com>
I'll adjust the author attribution to match other patches of yours (we
generally prefer 'git shortlog' to list full names).
Date: Thu, 1 Nov 2012 14:54:39 -0400
Subject: [PATCH] Linux Containers are not allowed to create device nodes.
This needs to be done before the container starts. Turning
off the mknod capabilty is noticed by systemd, which will
s/capabilty/capability/
no longer attempt to create device nodes.
Missing a blank line, so 'git log' tries to treat this as a really long
subject line.
This eliminates SELinux AVC messages and ugly failure messages in the journal.
---
src/lxc/lxc_container.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 2789c17..8faa664 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot
ATTRIBUTE_UNUSED)
CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
CAP_SYS_MODULE, /* No kernel module loading */
CAP_SYS_TIME, /* No changing the clock */
+ CAP_MKNOD, /* No creating device nodes */
CAP_AUDIT_CONTROL, /* No messing with auditing status */
CAP_MAC_ADMIN, /* No messing with LSM config */
keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */
Makes sense to me. ACK; I'll clean it up and push in time for 1.0.0.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 617 bytes)