From d4a135f7b7d816d318e3d91a0364b7ca225be4cc Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Fri, 4 Jan 2019 12:35:27 +0100
Subject: [PATCH] close #1785: whitelist namespaced lxc.sysfs.* entries

According do namespaces(7) these should be namespaced (iow.
changing these values on the host they are not propagated to
running containers), so it makes sense to whitelist them.

Note that these only work when also using
'lxc.mount.auto: proc:rw'

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Link: https://github.com/lxc/lxc/issues/989
---
 src/PVE/LXC/Config.pm | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 56082dd..061ec8e 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -509,6 +509,17 @@ my $valid_lxc_conf_keys = {
     'lxc.start.order' => 1,
     'lxc.group' => 1,
     'lxc.environment' => 1,
+
+    # All these are namespaced via CLONE_NEWIPC (see namespaces(7)).
+    'lxc.sysctl.fs.mqueue' => 1,
+    'lxc.sysctl.kernel.msgmax' => 1,
+    'lxc.sysctl.kernel.msgmnb' => 1,
+    'lxc.sysctl.kernel.msgmni' => 1,
+    'lxc.sysctl.kernel.sem' => 1,
+    'lxc.sysctl.kernel.shmall' => 1,
+    'lxc.sysctl.kernel.shmmax' => 1,
+    'lxc.sysctl.kernel.shmmni' => 1,
+    'lxc.sysctl.kernel.shm_rmid_forced' => 1,
 };
 
 my $deprecated_lxc_conf_keys = {
-- 
2.39.2