Re: [libvirt-users] libvirt 1.0.3 Vs 1.0.4 / cgroup devices
On Thu, Apr 18, 2013 at 11:31:56AM +0200, Mohamed Larabi wrote:
Hi Daniel,
knowing that the /dev/random (c 1:8 rwm) device is assigned to the containers, the
problem is :
- with libvirt 1.0.3: inside the container, I can do rm -f /dev/random; mknod
/dev/random c 1 8 (which works fine)
- with libvirt 1.0.4: rm -f /dev/random; mknod /dev/random c 1 8 is not working
(mknod: `random': Operation not permitted)
why is it allowed in 1.0.3 and not in 1.0.4 ?
Because in 1.0.4 we fixed the bug that mistakenly allowed mknod in
earlier releases. We were already blocking users from accessing any
other devices via cgroups, but we mistakenly didn't forbid mknod via
the system capabilities which is more secure than cgroups. Just don't
delete the devices that are pre-populated by libvirt.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|