Hello, I did some testing with "rm" access to /dev/rtc. It seems that this is not enough.
I did a strace with the hwclock --set command and found out that it is doing an ioctl(RTC_SET_TIME). This works even if /dev/rtc is not allowed to write. # echo test > /dev/rtc -bash: /dev/rtc: Operation not permitted # hwclock Tue Apr 30 18:02:00 2013 -0.290344 seconds # hwclock --set --date 18:02 --debug ... Using /dev interface to clock. ... ioctl(RTC_SET_TIME) was successful. ... I finally got it working as expecting when dropping the sys_time capability. lxc.cap.drop = sys_time I think both the write permission for /dev/rtc and the sys_time capability should be removed in the templates! Regards, Christoph ----- Ursprüngliche Mail ----- > Von: "Serge Hallyn" <serge.hal...@ubuntu.com> > An: "Christoph Mitasch" <cmita...@thomas-krenn.com> > CC: lxc-users@lists.sourceforge.net > Gesendet: Dienstag, 30. April 2013 15:17:40 > Betreff: Re: [Lxc-users] Disable write access to /dev/rtc in templates > > Quoting Christoph Mitasch (cmita...@thomas-krenn.com): > > Hello, > > > > we recently discovered that a container was able to modify the > > hardware clock of a server. > > > > When checking the lxc configuration I found out that rwm access to > > /dev/rtc was granted. > > > > Unfortunately most lxc templates allow write access per default. > > http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=tree;f=templates > > > > This was already discussed a few years ago: > > http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg00718.html > > > > I would recommend to modify access to /dev/rtc in the templates. > > Or are there any caveats to do so? > > Thanks for the reminder. > > I can't think of any. > > If noone else speaks up by tomorrow, I'll update the templates to > make it 'rm'. > ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
