Re: [Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?
Quoting Trent W. Buck (trentb...@gmail.com): I have a container that autobuilds packages (debs with pbuilder, live CDs with live-build). These scripts use chroots, and want to populate (but not use) a bunch of device files within the chroot's /dev. I found that to make this work, I need to 1) remove lxc.cap.drop = mknod 2) add lxc.cgroup.devices.allow = b *:* m and lxc.cgroup.devices.allow = c *:* m AIUI this gives the container permission to *create* arbitrary device files, but not to read nor write from them. Is that correct? Yes (iirc) What are the security implications of granting this privilege to a container? *I* can't think of any, but I may have missed something. Ditto - can't think of any, but that shouldn't put your mind at ease. -serge -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
[Lxc-users] What are the security implications of lxc.cgroup.devices.allow = [cb] *:* m?
I have a container that autobuilds packages (debs with pbuilder, live CDs with live-build). These scripts use chroots, and want to populate (but not use) a bunch of device files within the chroot's /dev. I found that to make this work, I need to 1) remove lxc.cap.drop = mknod 2) add lxc.cgroup.devices.allow = b *:* m and lxc.cgroup.devices.allow = c *:* m AIUI this gives the container permission to *create* arbitrary device files, but not to read nor write from them. Is that correct? What are the security implications of granting this privilege to a container? *I* can't think of any, but I may have missed something. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users