[lxc-devel] [PATCH] templates: deny writes to host's clock
Serge Hallyn
serge.hallyn at ubuntu.com
Wed May 1 17:23:03 UTC 2013
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Quoting Dwight Engen (dwight.engen at oracle.com):
> > On Wed, 1 May 2013 10:54:10 -0500
> > Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> >
> > > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > > On 05/01/2013 06:51 AM, Serge Hallyn wrote:
> > > > > Don't allow write to /dev/rtc0, and remove sys_time (in any
> > > > > templates which drop any capabilities)
> > > > >
> > > > > Reported-by: Christoph Mitasch <cmitasch at thomas-krenn.com>
> > > > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > >
> > > > Assuming this has been tested not to prevent boot for any of the
> > > > update templates.
> > > >
> > > > Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> > >
> > > I didn't test all of them, only ubuntu.
> > >
> > > If anything fails to boot because of inability to mess with host's
> > > clock, that will be interesting :) I'll test whatever ones I can
> > > (i.e. not sure all of them work) before pushing.
> >
> > Just FYI, when I removed /dev/rtc0 from the lxc-oracle template, the
> > containers still booted but /sbin/hwclock complained which is why it
> > got commented out from the initscripts. Other than that removing
> > /dev/rtc0 completely hasn't seemed to have any ill side effects.
>
> Well, now I don't know. My patch only removed sys_time from templates
> already removing capabilities. I'm not sure that's right. I'm going
> to change it to remove it from all templates (as well as sys_module, mac_admin,
> and mac_override). The template doesn't get to decide how it can hose my
> host...
Alternatively I suppose we could recommend distributions add
a reasonable lxc.cap.drop to /etc/lxc/default.conf. I.e., it
would go more along with installation of apparmor and selinux
profiles.
More information about the lxc-devel
mailing list