[libvirt-users] libvirt 1.0.3 Vs 1.0.4 / cgroup devices
Daniel P. Berrange
berrange at redhat.com
Thu Apr 18 09:41:27 UTC 2013
On Thu, Apr 18, 2013 at 11:31:56AM +0200, Mohamed Larabi wrote:
> Hi Daniel,
>
> knowing that the /dev/random (c 1:8 rwm) device is assigned to the containers, the problem is :
> - with libvirt 1.0.3: inside the container, I can do rm -f /dev/random; mknod /dev/random c 1 8 (which works fine)
> - with libvirt 1.0.4: rm -f /dev/random; mknod /dev/random c 1 8 is not working (mknod: `random': Operation not permitted)
>
> why is it allowed in 1.0.3 and not in 1.0.4 ?
Because in 1.0.4 we fixed the bug that mistakenly allowed mknod in
earlier releases. We were already blocking users from accessing any
other devices via cgroups, but we mistakenly didn't forbid mknod via
the system capabilities which is more secure than cgroups. Just don't
delete the devices that are pre-populated by libvirt.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvirt-users
mailing list