templates: deny writes to host's clock (v2)

Don't allow write to /dev/rtc0, and remove sys_time. Thanks, Christoph. v2: drop sys_time, sys_module, mac_admin and mac_override in all templates. Reported-by: Christoph Mitasch <cmitasch@thomas-krenn.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

templates: deny writes to host's clock (v2)
eee3ba81 · Serge Hallyn · ee25a44f · eee3ba81 · eee3ba81 · eee3ba81
Commit eee3ba81 authored May 01, 2013 by Serge Hallyn
10 changed files
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
@@ -109,6 +109,7 @@ EOF
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -129,7 +130,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm

 # mounts point
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0

--- a/templates/lxc-altlinux.in
+++ b/templates/lxc-altlinux.in
@@ -243,6 +243,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

--- a/templates/lxc-archlinux.in
+++ b/templates/lxc-archlinux.in
@@ -127,7 +127,7 @@ lxc.tty=1
 lxc.pts=1024
 lxc.rootfs=${rootfs_path}
 lxc.mount=${config_path}/fstab
-lxc.cap.drop=mknod sys_module mac_admin mac_override
+lxc.cap.drop=mknod sys_module mac_admin mac_override sys_time
 lxc.kmsg=0
 lxc.stopsignal=SIGRTMIN+4
 #networking

--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -261,6 +261,7 @@ cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.tty = 1
 lxc.pts = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@@ -218,6 +218,7 @@ copy_configuration()
 lxc.tty = 4
 lxc.pts = 1024
 lxc.utsname = $hostname
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -237,7 +238,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm

 # mounts point
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0

--- a/templates/lxc-fedora.in
+++ b/templates/lxc-fedora.in
@@ -252,6 +252,7 @@ lxc.utsname = $name
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $config_path/fstab
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -272,7 +273,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF

    cat <<EOF > $config_path/fstab

--- a/templates/lxc-opensuse.in
+++ b/templates/lxc-opensuse.in
@@ -275,7 +275,7 @@ lxc.autodev=1
 lxc.tty = 4
 lxc.pts = 1024
 lxc.mount = $path/fstab
-lxc.cap.drop = sys_module mac_admin mac_override mknod
+lxc.cap.drop = sys_module mac_admin mac_override mknod sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -295,7 +295,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 EOF

    cat <<EOF > $path/fstab

--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -112,6 +112,7 @@ copy_configuration()
 cat <<EOF >> $path/config
 lxc.utsname = $name
 lxc.pts = 1024
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined

--- a/templates/lxc-ubuntu-cloud.in
+++ b/templates/lxc-ubuntu-cloud.in
@@ -55,7 +55,7 @@ lxc.pts = 1024

 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -76,7 +76,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun

--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -378,7 +378,7 @@ lxc.pts = 1024

 lxc.utsname = $name
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_admin mac_override
+lxc.cap.drop = sys_module mac_admin mac_override sys_time

 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.aa_profile = unconfined
@@ -399,7 +399,7 @@ lxc.cgroup.devices.allow = c 1:8 rwm
 lxc.cgroup.devices.allow = c 136:* rwm
 lxc.cgroup.devices.allow = c 5:2 rwm
 # rtc
-lxc.cgroup.devices.allow = c 254:0 rwm
+lxc.cgroup.devices.allow = c 254:0 rm
 # fuse
 lxc.cgroup.devices.allow = c 10:229 rwm
 # tun