From: Dwight Engen Date: Wed, 23 Oct 2013 21:03:40 +0000 (-0400) Subject: oracle template: restrict writeability in /proc and /sys X-Git-Tag: lxc-1.0.0.alpha3~67 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33662399da0d6d29a2a49b36fe5394741e068ef0;p=thirdparty%2Flxc.git oracle template: restrict writeability in /proc and /sys Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen Acked-by: Serge E. Hallyn --- diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index ddc6d7403..78d99ee11 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -350,7 +350,7 @@ lxc.utsname = $name lxc.devttydir = lxc lxc.tty = 4 lxc.pts = 1024 -lxc.mount = $cfg_dir/fstab +lxc.mount.auto = proc:mixed sys:ro lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. @@ -403,11 +403,6 @@ lxc.cgroup.devices.allow = c 1:8 rwm # /dev/random lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master -EOF - - cat < $cfg_dir/fstab || die "unable to create $cfg_dir/fstab" -proc proc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 EOF }