[Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?

Trent W. Buck trentbuck at gmail.com
Sun Feb 13 02:53:30 UTC 2011


I have a container that autobuilds packages (debs with pbuilder, live
CDs with live-build).  These scripts use chroots, and want to populate
(but not use) a bunch of device files within the chroot's /dev.

I found that to make this work, I need to

  1) remove "lxc.cap.drop = mknod"
  2) add "lxc.cgroup.devices.allow = b *:* m" and
         "lxc.cgroup.devices.allow = c *:* m"

AIUI this gives the container permission to *create* arbitrary device
files, but not to read nor write from them.  Is that correct?

What are the security implications of granting this privilege to a
container?  *I* can't think of any, but I may have missed something.





More information about the lxc-users mailing list