[libvirt] [virt-devel] This patch removes the mknod capability from Linux Containers.

Daniel J Walsh dwalsh at redhat.com
Thu Nov 1 21:01:34 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2012 04:07 PM, Eric Blake wrote:
> [originally posted to the wrong list]
> 
> On 11/01/2012 12:57 PM, Daniel J Walsh wrote:
>> 
>> 0001-Linux-Containers-are-not-allowed-to-create-device-no.patch
>> 
>> 
>>> From 3913ef4148728430cc9df79b84d5ec44130f4ac8 Mon Sep 17 00:00:00 2001
>> From: rhatdan <dwalsh at redhat.com>
> 
> I'll adjust the author attribution to match other patches of yours (we 
> generally prefer 'git shortlog' to list full names).
> 
>> Date: Thu, 1 Nov 2012 14:54:39 -0400 Subject: [PATCH] Linux Containers
>> are not allowed to create device nodes. This needs to be done before the
>> container starts. Turning off the mknod capabilty is noticed by systemd,
>> which will
> 
> s/capabilty/capability/
> 
>> no longer attempt to create device nodes.
> 
> Missing a blank line, so 'git log' tries to treat this as a really long 
> subject line.
> 
>> 
>> This eliminates SELinux AVC messages and ugly failure messages in the
>> journal. --- src/lxc/lxc_container.c | 1 + 1 file changed, 1
>> insertion(+)
>> 
>> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index
>> 2789c17..8faa664 100644 --- a/src/lxc/lxc_container.c +++
>> b/src/lxc/lxc_container.c @@ -1717,6 +1717,7 @@ static int
>> lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED) 
>> CAPNG_INHERITABLE | CAPNG_BOUNDING_SET, CAP_SYS_MODULE, /* No kernel
>> module loading */ CAP_SYS_TIME, /* No changing the clock */ +
>> CAP_MKNOD, /* No creating device nodes */ CAP_AUDIT_CONTROL, /* No
>> messing with auditing status */ CAP_MAC_ADMIN, /* No messing with LSM
>> config */ keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */
> 
> Makes sense to me.  ACK; I'll clean it up and push in time for 1.0.0.
> 

Thanks, sorry about the git problems.   Not sure where it is getting rhatdan from.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCS4y4ACgkQrlYvE4MpobOxtACgyk8NswhXnUM4ZAFvVfLETsPI
a/0Anj3YzHDqYpJW8EibFHYXq9ugXzZf
=exMM
-----END PGP SIGNATURE-----




More information about the libvir-list mailing list