On Fri, Mar 15, 2013 at 13:13 +0400, Glauber Costa wrote: > Since we have strict control on who access the devices, it should be > no problem to allow the device to appear. ... > - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) > + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD)) As now we have several mechanisms for dev nodes usage in containers (cgroup, per-fs flags, CAP_MKNOD), probably it's better to document all this stuff in a single document? Enumerate all possible limits of device files creation and usage, and describe unobvious ways to abuse the API to escape from a container (allow loopback device? allow ext4? just guessing, didn't investigate myself). It should document several safe patterns for common cases and beware of known-to-be-vulnerable ones. Thanks, -- Vasily Kulikov http://www.openwall.com - bringing security into open computing environments _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
