From: Serge Hallyn Date: Wed, 1 May 2013 13:33:12 +0000 (-0500) Subject: templates: deny writes to host's clock (v2) X-Git-Tag: lxc-1.0.0.alpha1~1^2~242 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eee3ba81c88e64b8a732694fc4843a39d5bde491;p=thirdparty%2Flxc.git templates: deny writes to host's clock (v2) Don't allow write to /dev/rtc0, and remove sys_time. Thanks, Christoph. v2: drop sys_time, sys_module, mac_admin and mac_override in all templates. Reported-by: Christoph Mitasch Signed-off-by: Serge Hallyn --- diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in index 962d274e8..98347ed67 100644 --- a/templates/lxc-alpine.in +++ b/templates/lxc-alpine.in @@ -109,6 +109,7 @@ EOF lxc.tty = 4 lxc.pts = 1024 lxc.utsname = $hostname +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -129,7 +130,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm # mounts point lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index da66ae78c..cce214c0f 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -243,6 +243,7 @@ lxc.utsname = $name lxc.tty = 4 lxc.pts = 1024 lxc.mount = $config_path/fstab +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in index ed5fb46ed..98d54242a 100644 --- a/templates/lxc-archlinux.in +++ b/templates/lxc-archlinux.in @@ -127,7 +127,7 @@ lxc.tty=1 lxc.pts=1024 lxc.rootfs=${rootfs_path} lxc.mount=${config_path}/fstab -lxc.cap.drop=mknod sys_module mac_admin mac_override +lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time lxc.kmsg=0 lxc.stopsignal=SIGRTMIN+4 #networking diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 2ca2bfd70..81e9566c5 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -261,6 +261,7 @@ cat <> $path/config lxc.utsname = $name lxc.tty = 1 lxc.pts = 1 +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 568bc2cfb..d4ea3de59 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -218,6 +218,7 @@ copy_configuration() lxc.tty = 4 lxc.pts = 1024 lxc.utsname = $hostname +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -237,7 +238,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm # mounts point lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0 diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 6f31e997e..59f453be9 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -252,6 +252,7 @@ lxc.utsname = $name lxc.tty = 4 lxc.pts = 1024 lxc.mount = $config_path/fstab +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -272,7 +273,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm EOF cat < $config_path/fstab diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index af92cf5d1..7d3dd1cad 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -275,7 +275,7 @@ lxc.autodev=1 lxc.tty = 4 lxc.pts = 1024 lxc.mount = $path/fstab -lxc.cap.drop = sys_module mac_admin mac_override mknod +lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm EOF cat < $path/fstab diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in index b704723b4..2927c9295 100644 --- a/templates/lxc-sshd.in +++ b/templates/lxc-sshd.in @@ -112,6 +112,7 @@ copy_configuration() cat <> $path/config lxc.utsname = $name lxc.pts = 1024 +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index d60f2c74f..9f5cf1993 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -55,7 +55,7 @@ lxc.pts = 1024 lxc.utsname = $name lxc.arch = $arch -lxc.cap.drop = sys_module mac_admin mac_override +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm # fuse lxc.cgroup.devices.allow = c 10:229 rwm # tun diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 7100acc87..37a1b9c13 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -378,7 +378,7 @@ lxc.pts = 1024 lxc.utsname = $name lxc.arch = $arch -lxc.cap.drop = sys_module mac_admin mac_override +lxc.cap.drop = sys_module mac_admin mac_override sys_time # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm lxc.cgroup.devices.allow = c 136:* rwm lxc.cgroup.devices.allow = c 5:2 rwm # rtc -lxc.cgroup.devices.allow = c 254:0 rwm +lxc.cgroup.devices.allow = c 254:0 rm # fuse lxc.cgroup.devices.allow = c 10:229 rwm # tun