[lxc-devel] [PATCH] templates: deny writes to host's clock (v2)

Serge Hallyn serge.hallyn at ubuntu.com
Wed May 1 19:09:54 UTC 2013 

Don't allow write to /dev/rtc0, and remove sys_time.

Thanks, Christoph.

v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.

Reported-by: Christoph Mitasch <cmitasch at thomas-krenn.com>
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 templates/lxc-alpine.in       | 3 ++-
 templates/lxc-altlinux.in     | 1 +
 templates/lxc-archlinux.in    | 2 +-
 templates/lxc-busybox.in      | 1 +
 templates/lxc-debian.in       | 3 ++-
 templates/lxc-fedora.in       | 3 ++-
 templates/lxc-opensuse.in     | 4 ++--
 templates/lxc-sshd.in         | 1 +
 templates/lxc-ubuntu-cloud.in | 4 ++--
 templates/lxc-ubuntu.in       | 4 ++--
 10 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 962d274..98347ed 100644
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -109,6 +109,7 @@ EOF
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -129,7 +130,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 
 # mounts point
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index da66ae7..cce214c 100644
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -243,6 +243,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index ed5fb46..98d5424 100644
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -127,7 +127,7 @@ lxc.tty=1
 lxc.pts=1024
 lxc.rootfs=${rootfs_path}
 lxc.mount=${config_path}/fstab
-lxc.cap.drop=mknod sys_module mac_admin mac_override
+lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
 lxc.kmsg=0
 lxc.stopsignal=SIGRTMIN+4
 #networking
diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 2ca2bfd..81e9566 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -261,6 +261,7 @@ cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.tty = 1
 lxc.pts = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 568bc2c..d4ea3de 100644
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -218,6 +218,7 @@ copy_configuration()
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -237,7 +238,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 
 # mounts point
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 6f31e99..59f453b 100644
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -252,6 +252,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -272,7 +273,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF
 
     cat <<EOF > $config_path/fstab
diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index af92cf5..7d3dd1c 100644
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -275,7 +275,7 @@ lxc.autodev=1
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod
+lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF
 
     cat <<EOF > $path/fstab
diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index b704723..2927c92 100644
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -112,6 +112,7 @@ copy_configuration()
 cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.pts = 1024
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
index d60f2c7..9f5cf19 100644
--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -55,7 +55,7 @@ lxc.pts = 1024
 
 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 7100acc..37a1b9c 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -378,7 +378,7 @@ lxc.pts = 1024
 
 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun
-- 
1.8.1.2

More information about the lxc-devel mailing list