[lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Oct 24 00:23:38 UTC 2013
Quoting Dwight Engen (dwight.engen at oracle.com):
> Note that since we don't drop CAP_SYS_ADMIN, root in the container can
> remount proc or sys however they want to, however this at least improves
> the default situation.
>
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> ---
> templates/lxc-oracle.in | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
>
> diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
> index ddc6d74..78d99ee 100644
> --- a/templates/lxc-oracle.in
> +++ b/templates/lxc-oracle.in
> @@ -350,7 +350,7 @@ lxc.utsname = $name
> lxc.devttydir = lxc
> lxc.tty = 4
> lxc.pts = 1024
> -lxc.mount = $cfg_dir/fstab
> +lxc.mount.auto = proc:mixed sys:ro
> lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
> # Uncomment these if you don't run anything that needs the capability, and
> # would like the container to run with less privilege.
> @@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom
> lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console
> lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master
> EOF
> -
> - cat <<EOF > $cfg_dir/fstab || die "unable to create $cfg_dir/fstab"
> -proc proc proc nodev,noexec,nosuid 0 0
> -sysfs sys sysfs defaults 0 0
> -EOF
> }
>
> container_rootfs_clone()
> --
> 1.8.3.1
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list