[Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?
Serge E. Hallyn
serge.hallyn at canonical.com
Mon Feb 14 04:52:02 UTC 2011
Quoting Trent W. Buck (trentbuck at gmail.com):
> I have a container that autobuilds packages (debs with pbuilder, live
> CDs with live-build). These scripts use chroots, and want to populate
> (but not use) a bunch of device files within the chroot's /dev.
>
> I found that to make this work, I need to
>
> 1) remove "lxc.cap.drop = mknod"
> 2) add "lxc.cgroup.devices.allow = b *:* m" and
> "lxc.cgroup.devices.allow = c *:* m"
>
> AIUI this gives the container permission to *create* arbitrary device
> files, but not to read nor write from them. Is that correct?
Yes (iirc)
> What are the security implications of granting this privilege to a
> container? *I* can't think of any, but I may have missed something.
Ditto - can't think of any, but that shouldn't put your mind at ease.
-serge
More information about the lxc-users
mailing list