Linux Containers are not allowed to create device nodes.

This needs to be done before the container starts. Turning
off the mknod capability is noticed by systemd, which will
no longer attempt to create device nodes.

This eliminates SELinux AVC messages and ugly failure messages in the journal.
(cherry picked from commit 2e03b08ead)
This commit is contained in:
Dan Walsh 2012-11-01 14:54:39 -04:00 committed by Cole Robinson
parent d676b742ca
commit 9a5430414d

View File

@ -1717,6 +1717,7 @@ static int lxcContainerDropCapabilities(bool keepReboot ATTRIBUTE_UNUSED)
CAPNG_INHERITABLE | CAPNG_BOUNDING_SET, CAPNG_INHERITABLE | CAPNG_BOUNDING_SET,
CAP_SYS_MODULE, /* No kernel module loading */ CAP_SYS_MODULE, /* No kernel module loading */
CAP_SYS_TIME, /* No changing the clock */ CAP_SYS_TIME, /* No changing the clock */
CAP_MKNOD, /* No creating device nodes */
CAP_AUDIT_CONTROL, /* No messing with auditing status */ CAP_AUDIT_CONTROL, /* No messing with auditing status */
CAP_MAC_ADMIN, /* No messing with LSM config */ CAP_MAC_ADMIN, /* No messing with LSM config */
keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */ keepReboot ? -1 : CAP_SYS_BOOT, /* No use of reboot */