[lxc-devel] [lxc/lxc] 4845c1: Prevent access to pci devices

Wed Mar 16 22:35:35 UTC 2016

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 4845c17aff570c25e05c5347dfdcd577cb108d47
      https://github.com/lxc/lxc/commit/4845c17aff570c25e05c5347dfdcd577cb108d47
  Author: Serge Hallyn <serge.hallyn at ubuntu.com>
  Date:   2016-03-16 (Wed, 16 Mar 2016)

  Changed paths:
    M config/apparmor/abstractions/container-base
    M config/apparmor/abstractions/container-base.in
    M config/templates/common.conf.in

  Log Message:
  -----------
  Prevent access to pci devices

Prevent privileged containers from messing with the host's pci devices
directly.  Refuse access under /proc/bus, and drop cap_sys_rawio.  Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).

It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

  Commit: e97069ad385f7be358a64b52343d480428eb51aa
      https://github.com/lxc/lxc/commit/e97069ad385f7be358a64b52343d480428eb51aa
  Author: Christian Brauner <christian.brauner at mailbox.org>
  Date:   2016-03-16 (Wed, 16 Mar 2016)

  Changed paths:
    M config/apparmor/abstractions/container-base
    M config/apparmor/abstractions/container-base.in
    M config/templates/common.conf.in

  Log Message:
  -----------
  Merge pull request #897 from hallyn/2016-03-16/aa

Prevent access to pci devices

Compare: https://github.com/lxc/lxc/compare/b3e4df8a83ab...e97069ad385f