On Thu, Apr 18, 2013 at 11:31:56AM +0200, Mohamed Larabi wrote: > Hi Daniel, > > knowing that the /dev/random (c 1:8 rwm) device is assigned to the containers, the problem is : > - with libvirt 1.0.3: inside the container, I can do rm -f /dev/random; mknod /dev/random c 1 8 (which works fine) > - with libvirt 1.0.4: rm -f /dev/random; mknod /dev/random c 1 8 is not working (mknod: `random': Operation not permitted) > > why is it allowed in 1.0.3 and not in 1.0.4 ? Because in 1.0.4 we fixed the bug that mistakenly allowed mknod in earlier releases. We were already blocking users from accessing any other devices via cgroups, but we mistakenly didn't forbid mknod via the system capabilities which is more secure than cgroups. Just don't delete the devices that are pre-populated by libvirt. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
