[lxc-devel] [PATCH] templates: deny writes to host's clock

Serge Hallyn serge.hallyn at ubuntu.com
Wed May 1 15:54:10 UTC 2013 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> > Don't allow write to /dev/rtc0, and remove sys_time (in any templates
> > which drop any capabilities)
> > 
> > Reported-by: Christoph Mitasch <cmitasch at thomas-krenn.com>
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> 
> Assuming this has been tested not to prevent boot for any of the update
> templates.
> 
> Acked-by: Stéphane Graber <stgraber at ubuntu.com>

I didn't test all of them, only ubuntu.

If anything fails to boot because of inability to mess with host's
clock, that will be interesting :)  I'll test whatever ones I can
(i.e. not sure all of them work) before pushing.

> 
> > ---
> >  templates/lxc-alpine.in       | 2 +-
> >  templates/lxc-archlinux.in    | 2 +-
> >  templates/lxc-debian.in       | 2 +-
> >  templates/lxc-fedora.in       | 2 +-
> >  templates/lxc-opensuse.in     | 4 ++--
> >  templates/lxc-ubuntu-cloud.in | 4 ++--
> >  templates/lxc-ubuntu.in       | 4 ++--
> >  7 files changed, 10 insertions(+), 10 deletions(-)
> > 
> > diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
> > index 962d274..bb7cdb3 100644
> > --- a/templates/lxc-alpine.in
> > +++ b/templates/lxc-alpine.in
> > @@ -129,7 +129,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  
> >  # mounts point
> >  lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
> > index ed5fb46..98d5424 100644
> > --- a/templates/lxc-archlinux.in
> > +++ b/templates/lxc-archlinux.in
> > @@ -127,7 +127,7 @@ lxc.tty=1
> >  lxc.pts=1024
> >  lxc.rootfs=${rootfs_path}
> >  lxc.mount=${config_path}/fstab
> > -lxc.cap.drop=mknod sys_module mac_admin mac_override
> > +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
> >  lxc.kmsg=0
> >  lxc.stopsignal=SIGRTMIN+4
> >  #networking
> > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
> > index 568bc2c..efb3e04 100644
> > --- a/templates/lxc-debian.in
> > +++ b/templates/lxc-debian.in
> > @@ -237,7 +237,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  
> >  # mounts point
> >  lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
> > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> > index 6f31e99..7dc4516 100644
> > --- a/templates/lxc-fedora.in
> > +++ b/templates/lxc-fedora.in
> > @@ -272,7 +272,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  EOF
> >  
> >      cat <<EOF > $config_path/fstab
> > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
> > index af92cf5..7d3dd1c 100644
> > --- a/templates/lxc-opensuse.in
> > +++ b/templates/lxc-opensuse.in
> > @@ -275,7 +275,7 @@ lxc.autodev=1
> >  lxc.tty = 4
> >  lxc.pts = 1024
> >  lxc.mount = $path/fstab
> > -lxc.cap.drop = sys_module mac_admin mac_override mknod
> > +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
> >  
> >  # When using LXC with apparmor, uncomment the next line to run unconfined:
> >  #lxc.aa_profile = unconfined
> > @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  EOF
> >  
> >      cat <<EOF > $path/fstab
> > diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> > index d60f2c7..9f5cf19 100644
> > --- a/templates/lxc-ubuntu-cloud.in
> > +++ b/templates/lxc-ubuntu-cloud.in
> > @@ -55,7 +55,7 @@ lxc.pts = 1024
> >  
> >  lxc.utsname = $name
> >  lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >  
> >  # When using LXC with apparmor, uncomment the next line to run unconfined:
> >  #lxc.aa_profile = unconfined
> > @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  # fuse
> >  lxc.cgroup.devices.allow = c 10:229 rwm
> >  # tun
> > diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> > index 7100acc..37a1b9c 100644
> > --- a/templates/lxc-ubuntu.in
> > +++ b/templates/lxc-ubuntu.in
> > @@ -378,7 +378,7 @@ lxc.pts = 1024
> >  
> >  lxc.utsname = $name
> >  lxc.arch = $arch
> > -lxc.cap.drop = sys_module mac_admin mac_override
> > +lxc.cap.drop = sys_module mac_admin mac_override sys_time
> >  
> >  # When using LXC with apparmor, uncomment the next line to run unconfined:
> >  #lxc.aa_profile = unconfined
> > @@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
> >  lxc.cgroup.devices.allow = c 136:* rwm
> >  lxc.cgroup.devices.allow = c 5:2 rwm
> >  # rtc
> > -lxc.cgroup.devices.allow = c 254:0 rwm
> > +lxc.cgroup.devices.allow = c 254:0 rm
> >  # fuse
> >  lxc.cgroup.devices.allow = c 10:229 rwm
> >  # tun
> > 
> 
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
>

More information about the lxc-devel mailing list