[pve-devel] [PATCH container] close #1785: whitelist namespaced lxc.sysfs.* entries

[Wolfgang Bumiller]

According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.

Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
Link: https://github.com/lxc/lxc/issues/989
---
 src/PVE/LXC/Config.pm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 56082dd..610adf3 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
     'lxc.start.order' => 1,
     'lxc.group' => 1,
     'lxc.environment' => 1,
+
+    # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
+    'lxc.sysfs.fs.mqueue' => 1,
+    'lxc.sysfs.kernel.msgmax' => 1,
+    'lxc.sysfs.kernel.msgmnb' => 1,
+    'lxc.sysfs.kernel.msgmni' => 1,
+    'lxc.sysfs.kernel.sem' => 1,
+    'lxc.sysfs.kernel.shmall' => 1,
+    'lxc.sysfs.kernel.shmmax' => 1,
+    'lxc.sysfs.kernel.shmmni' => 1,
+    'lxc.sysfs.kernel.shm_rmid_forced' => 1,
 };
 
 my $deprecated_lxc_conf_keys = {
-- 
2.11.0