[Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?

Serge E. Hallyn serge.hallyn at canonical.com
Mon Feb 14 04:52:02 UTC 2011


Quoting Trent W. Buck (trentbuck at gmail.com):
> I have a container that autobuilds packages (debs with pbuilder, live
> CDs with live-build).  These scripts use chroots, and want to populate
> (but not use) a bunch of device files within the chroot's /dev.
> 
> I found that to make this work, I need to
> 
>   1) remove "lxc.cap.drop = mknod"
>   2) add "lxc.cgroup.devices.allow = b *:* m" and
>          "lxc.cgroup.devices.allow = c *:* m"
> 
> AIUI this gives the container permission to *create* arbitrary device
> files, but not to read nor write from them.  Is that correct?

Yes (iirc)

> What are the security implications of granting this privilege to a
> container?  *I* can't think of any, but I may have missed something.

Ditto - can't think of any, but that shouldn't put your mind at ease.

-serge




More information about the lxc-users mailing list