I have a container that autobuilds packages (debs with pbuilder, live
CDs with live-build). These scripts use chroots, and want to populate
(but not use) a bunch of device files within the chroot's /dev.
I found that to make this work, I need to
1) remove "lxc.cap.drop = mknod"
2) add "lxc.cgroup.devices.allow = b *:* m" and
"lxc.cgroup.devices.allow = c *:* m"
AIUI this gives the container permission to *create* arbitrary device
files, but not to read nor write from them. Is that correct?
What are the security implications of granting this privilege to a
container? *I* can't think of any, but I may have missed something.
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
