On 05/31/2014 04:06 PM, Daniel Baumann wrote: > On 05/31/2014 10:45 PM, John Goerzen wrote: >> I am concerned about the memory hierarchy issue; could this indicate a >> security problem? > no, it's about accounting, see kernel documentation about cgroup > memory.use_hierarchy.
OK, so we've got two bugs here: 1) cgroup warning 2) AppArmor not being activated. As far as I'm concerned, #2 is the more serious. Although I have AppArmor installed and activated, and although ps auxZ shows /usr/bin/lxc-start running under apparmor, still the AppArmor for LXC appears to be doing nothing. As shipped, the LXC apparmor.d files don't work at all anyhow, because I had to comment out these lines in them: # The following 3 entries are only supported by recent apparmor versions. # Comment them if the apparmor parser doesn't recognize them. #dbus, #signal, #ptrace, A very simple test in the container that the apparmor files should block: echo 810853 > /proc/sys/fs/file-max is not blocked. And the root exploit at http://blog.bofh.it/debian/id_413 works. >> # cat /proc/cmdline >> BOOT_IMAGE=/hephaestus-1/ROOT@/boot/vmlinuz-3.14-1-amd64 >> root=ZFS=tank/hephaestus-1/ROOT ro boot=zfs zfs-bootfs=tank/21 >> cgroup_enable=memory,cpu,devices,cpuacct,freezer,blkio swapaccount=1 >> security=apparmor > can you reproduce it without apparmor and without the custom (uneeded) > enabling of cgroups (except for the memory controller)? Bug #1 -- I observed it is accompanied by this in syslog: May 31 16:17:56 hephaestus kernel: [ 457.438103] cgroup: lxc-start (9053) created nested cgroup for controller "memory" which has incomplete hierarchy support. Nested cgroups may change behavior in the future. May 31 16:17:56 hephaestus kernel: [ 457.438107] cgroup: "memory" requires setting use_hierarchy to 1 on the root. One tidbit: # echo 1 > /sys/fs/cgroup/memory.use_hierarchy bash: echo: write error: Device or resource busy I will reboot shortly and let you know if the changed parameters make a difference. John -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
