From 9a5430414ddce7a4576dada8982e2027670b887c Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Thu, 1 Nov 2012 14:54:39 -0400
Subject: [PATCH] Linux Containers are not allowed to create device nodes.

This needs to be done before the container starts. Turning
off the mknod capability is noticed by systemd, which will
no longer attempt to create device nodes.

This eliminates SELinux AVC messages and ugly failure messages in the journal.
(cherry picked from commit 2e03b08ead603c38c244aa9a1ecef6d73bb306be)
---
 src/lxc/lxc_container.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 2789c17529..8faa664d74 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
                              CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
                              CAP_SYS_MODULE, /* No kernel module loading */
                              CAP_SYS_TIME, /* No changing the clock */
+                             CAP_MKNOD, /* No creating device nodes */
                              CAP_AUDIT_CONTROL, /* No messing with auditing status */
                              CAP_MAC_ADMIN, /* No messing with LSM config */
                              keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */