[lxc-devel] [PATCH] templates: deny writes to host's clock
Dwight Engen
dwight.engen at oracle.com
Wed May 1 16:20:28 UTC 2013
On Wed, 1 May 2013 10:54:10 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> > > Don't allow write to /dev/rtc0, and remove sys_time (in any
> > > templates which drop any capabilities)
> > >
> > > Reported-by: Christoph Mitasch <cmitasch at thomas-krenn.com>
> > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> >
> > Assuming this has been tested not to prevent boot for any of the
> > update templates.
> >
> > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
>
> I didn't test all of them, only ubuntu.
>
> If anything fails to boot because of inability to mess with host's
> clock, that will be interesting :) I'll test whatever ones I can
> (i.e. not sure all of them work) before pushing.
Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the
containers still booted but /sbin/hwclock complained which is why it
got commented out from the initscripts. Other than that removing
/dev/rtc0 completely hasn't seemed to have any ill side effects.
More information about the lxc-devel
mailing list