[Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?
Trent W. Buck
trentbuck at gmail.com
Sun Feb 13 02:53:30 UTC 2011
I have a container that autobuilds packages (debs with pbuilder, live
CDs with live-build). These scripts use chroots, and want to populate
(but not use) a bunch of device files within the chroot's /dev.
I found that to make this work, I need to
1) remove "lxc.cap.drop = mknod"
2) add "lxc.cgroup.devices.allow = b *:* m" and
"lxc.cgroup.devices.allow = c *:* m"
AIUI this gives the container permission to *create* arbitrary device
files, but not to read nor write from them. Is that correct?
What are the security implications of granting this privilege to a
container? *I* can't think of any, but I may have missed something.
More information about the lxc-users
mailing list