[lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys
Dwight Engen
dwight.engen at oracle.com
Wed Oct 23 21:03:40 UTC 2013
Note that since we don't drop CAP_SYS_ADMIN, root in the container can
remount proc or sys however they want to, however this at least improves
the default situation.
Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
---
templates/lxc-oracle.in | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index ddc6d74..78d99ee 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -350,7 +350,7 @@ lxc.utsname = $name
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
-lxc.mount = $cfg_dir/fstab
+lxc.mount.auto = proc:mixed sys:ro
lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
@@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
EOF
-
- cat <<EOF > $cfg_dir/fstab || die "unable to create $cfg_dir/fstab"
-proc proc proc nodev,noexec,nosuid 0 0
-sysfs sys sysfs defaults 0 0
-EOF
}
container_rootfs_clone()
--
1.8.3.1
More information about the lxc-devel
mailing list