]> git.ipfire.org Git - thirdparty/lxc.git/commit
projects / thirdparty / lxc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: b3e4df8) | patch
Prevent access to pci devices 897/head
authorSerge Hallyn <serge.hallyn@ubuntu.com>
Wed, 16 Mar 2016 21:48:49 +0000 (14:48 -0700)
committerSerge Hallyn <serge.hallyn@ubuntu.com>
Wed, 16 Mar 2016 22:18:51 +0000 (15:18 -0700)
commit4845c17aff570c25e05c5347dfdcd577cb108d47
tree005f56103b18c6650149b67150cd66b0d8466f02tree
parentb3e4df8a83aba1256ab359128abcab7edc7dd9c3commit | diff
Prevent access to pci devices

Prevent privileged containers from messing with the host's pci devices
directly.  Refuse access under /proc/bus, and drop cap_sys_rawio.  Some
containers may need to re-enable cap_sys_rawio (i.e. if they run an
X server).

It may be desirable to break some of this stuff into files which can be
separately included (or not included), but this patch isn't the right
place for that.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
config/apparmor/abstractions/container-base diff | blob | blame | history
config/apparmor/abstractions/container-base.in diff | blob | blame | history
config/templates/common.conf.in diff | blob | blame | history
Mirror of https://github.com/lxc/lxc.git