[originally posted to the wrong list] On 11/01/2012 12:57 PM, Daniel J Walsh wrote: > > 0001-Linux-Containers-are-not-allowed-to-create-device-no.patch > > >>From 3913ef4148728430cc9df79b84d5ec44130f4ac8 Mon Sep 17 00:00:00 2001 > From: rhatdan <dwalsh@xxxxxxxxxx> I'll adjust the author attribution to match other patches of yours (we generally prefer 'git shortlog' to list full names). > Date: Thu, 1 Nov 2012 14:54:39 -0400 > Subject: [PATCH] Linux Containers are not allowed to create device nodes. > This needs to be done before the container starts. Turning > off the mknod capabilty is noticed by systemd, which will s/capabilty/capability/ > no longer attempt to create device nodes. Missing a blank line, so 'git log' tries to treat this as a really long subject line. > > This eliminates SELinux AVC messages and ugly failure messages in the journal. > --- > src/lxc/lxc_container.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > index 2789c17..8faa664 100644 > --- a/src/lxc/lxc_container.c > +++ b/src/lxc/lxc_container.c > @@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED) > CAPNG_INHERITABLE | CAPNG_BOUNDING_SET, > CAP_SYS_MODULE, /* No kernel module loading */ > CAP_SYS_TIME, /* No changing the clock */ > + CAP_MKNOD, /* No creating device nodes */ > CAP_AUDIT_CONTROL, /* No messing with auditing status */ > CAP_MAC_ADMIN, /* No messing with LSM config */ > keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */ Makes sense to me. ACK; I'll clean it up and push in time for 1.0.0. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list