[libvirt] [virt-devel] This patch removes the mknod capability from Linux Containers.
Eric Blake
eblake at redhat.com
Thu Nov 1 20:07:04 UTC 2012
[originally posted to the wrong list]
On 11/01/2012 12:57 PM, Daniel J Walsh wrote:
>
> 0001-Linux-Containers-are-not-allowed-to-create-device-no.patch
>
>
>>From 3913ef4148728430cc9df79b84d5ec44130f4ac8 Mon Sep 17 00:00:00 2001
> From: rhatdan <dwalsh at redhat.com>
I'll adjust the author attribution to match other patches of yours (we
generally prefer 'git shortlog' to list full names).
> Date: Thu, 1 Nov 2012 14:54:39 -0400
> Subject: [PATCH] Linux Containers are not allowed to create device nodes.
> This needs to be done before the container starts. Turning
> off the mknod capabilty is noticed by systemd, which will
s/capabilty/capability/
> no longer attempt to create device nodes.
Missing a blank line, so 'git log' tries to treat this as a really long
subject line.
>
> This eliminates SELinux AVC messages and ugly failure messages in the journal.
> ---
> src/lxc/lxc_container.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 2789c17..8faa664 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
> CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
> CAP_SYS_MODULE, /* No kernel module loading */
> CAP_SYS_TIME, /* No changing the clock */
> + CAP_MKNOD, /* No creating device nodes */
> CAP_AUDIT_CONTROL, /* No messing with auditing status */
> CAP_MAC_ADMIN, /* No messing with LSM config */
> keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */
Makes sense to me. ACK; I'll clean it up and push in time for 1.0.0.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20121101/a4a65f18/attachment-0001.sig>
More information about the libvir-list
mailing list