[libvirt] [virt-devel] This patch removes the mknod capability from Linux Containers.

Eric Blake eblake at redhat.com
Thu Nov 1 20:07:04 UTC 2012 

[originally posted to the wrong list]

On 11/01/2012 12:57 PM, Daniel J Walsh wrote:
> 
> 0001-Linux-Containers-are-not-allowed-to-create-device-no.patch
> 
> 
>>From 3913ef4148728430cc9df79b84d5ec44130f4ac8 Mon Sep 17 00:00:00 2001
> From: rhatdan <dwalsh at redhat.com>

I'll adjust the author attribution to match other patches of yours (we
generally prefer 'git shortlog' to list full names).

> Date: Thu, 1 Nov 2012 14:54:39 -0400
> Subject: [PATCH] Linux Containers are not allowed to create device nodes. 
>  This needs to be done before the container starts. Turning
>  off the mknod capabilty is noticed by systemd, which will

s/capabilty/capability/

>  no longer attempt to create device nodes.

Missing a blank line, so 'git log' tries to treat this as a really long
subject line.

> 
> This eliminates SELinux AVC messages and ugly failure messages in the journal.
> ---
>  src/lxc/lxc_container.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 2789c17..8faa664 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
>                               CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
>                               CAP_SYS_MODULE, /* No kernel module loading */
>                               CAP_SYS_TIME, /* No changing the clock */
> +                             CAP_MKNOD, /* No creating device nodes */
>                               CAP_AUDIT_CONTROL, /* No messing with auditing status */
>                               CAP_MAC_ADMIN, /* No messing with LSM config */
>                               keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */

Makes sense to me.  ACK; I'll clean it up and push in time for 1.0.0.

-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20121101/a4a65f18/attachment-0001.sig>

More information about the libvir-list mailing list