templates: deny writes to host's clock (v2)

Don't allow write to /dev/rtc0, and remove sys_time.

Thanks, Christoph.

v2: drop sys_time, sys_module, mac_admin and mac_override in
all templates.

Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in
index 962d274e86da5dc7fcc91d5ef55ed12722de63c3..98347ed675faaa580b44204aa90086e1068788d2 100644 (file)
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -109,6 +109,7 @@ EOF
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -129,7 +130,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 
 # mounts point
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0

diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in
index da66ae78c189f98508e13acb59a8885b5175b9de..cce214c0f144d7d37aca500745baa6415686e190 100644 (file)
--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -243,6 +243,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in
index ed5fb46ed2227292c36295ce2c9557cd6c5161c5..98d54242a23930ff6d467e78813813756a5010b2 100644 (file)
--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -127,7 +127,7 @@ lxc.tty=1
 lxc.pts=1024
 lxc.rootfs=${rootfs_path}
 lxc.mount=${config_path}/fstab
-lxc.cap.drop=mknod sys_module mac_admin mac_override
+lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
 lxc.kmsg=0
 lxc.stopsignal=SIGRTMIN+4
 #networking

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 2ca2bfd70c6ee0789746b22f8344d0ee7b7e525e..81e9566c573ac6c9ff395f647af5262263a14837 100644 (file)
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -261,6 +261,7 @@ cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.tty = 1
 lxc.pts = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in
index 568bc2cfba2ad5885c494e136cf707f41215bf37..d4ea3de59c6ececc003dd679e2f10ab07342ddb6 100644 (file)
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -218,6 +218,7 @@ copy_configuration()
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -237,7 +238,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 
 # mounts point
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0

diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
index 6f31e997ecaf90216a2aa3b2c069eabb13c05244..59f453be9ea3d44a12b4a6c9be72faaf5263ee2b 100644 (file)
--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -252,6 +252,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -272,7 +273,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF
 
     cat <<EOF > $config_path/fstab

diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in
index af92cf5d1be25cffaf86aa709edfca9288308f8a..7d3dd1cade3d4cc2f319c3373e21cbb1dd179fe6 100644 (file)
--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -275,7 +275,7 @@ lxc.autodev=1
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod
+lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF
 
     cat <<EOF > $path/fstab

diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index b704723b4757f09eb88f69ec404fe3c56f7ae175..2927c9295be57c578371cb6a99e2d1ba00f51a6e 100644 (file)
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -112,6 +112,7 @@ copy_configuration()
 cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.pts = 1024
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
index d60f2c74f08b8bd9eafd55e8897677f1a15379d3..9f5cf1993c8b2fe32a315b4a13a2036be6f27dfd 100644 (file)
--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -55,7 +55,7 @@ lxc.pts = 1024
 
 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 7100acc878669a0b25968fbd79d3d666085acbf8..37a1b9c1372ade712c7abf17c0a3862ae0068c81 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -378,7 +378,7 @@ lxc.pts = 1024
 
 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
 
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun