Quoting Christoph Mitasch (cmita...@thomas-krenn.com):
Hello,
we recently discovered that a container was able to modify the hardware clock
of a server.
When checking the lxc configuration I found out that rwm access to /dev/rtc
was granted.
Unfortunately most lxc templates allow
Hello,
I did some testing with rm access to /dev/rtc. It seems that this is not
enough.
I did a strace with the hwclock --set command and found out that it is doing an
ioctl(RTC_SET_TIME). This works even if /dev/rtc is not allowed to write.
# echo test /dev/rtc
-bash: /dev/rtc: Operation