The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4473
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Jingkui Wang <[email protected]>
From 75456a892e63e65819b916c0f1bfee0177a00305 Mon Sep 17 00:00:00 2001 From: Jingkui Wang <[email protected]> Date: Tue, 17 Apr 2018 19:31:12 -0400 Subject: [PATCH] add LXD_UNPRIVILEGED_ONLY to disallow privileged containers. Signed-off-by: Jingkui Wang <[email protected]> --- lxd/container.go | 16 +++++++++++++--- lxd/container_lxc.go | 10 ++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/lxd/container.go b/lxd/container.go index 6134ffd60..9a390c2d0 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -240,7 +240,7 @@ func containerValidDeviceConfigKey(t, k string) bool { } } -func containerValidConfig(os *sys.OS, config map[string]string, profile bool, expanded bool) error { +func containerValidConfig(sysOS *sys.OS, config map[string]string, profile bool, expanded bool) error { if config == nil { return nil } @@ -254,7 +254,7 @@ func containerValidConfig(os *sys.OS, config map[string]string, profile bool, ex return fmt.Errorf("Image keys can only be set on containers.") } - err := containerValidConfigKey(os, k, v) + err := containerValidConfigKey(sysOS, k, v) if err != nil { return err } @@ -274,10 +274,20 @@ func containerValidConfig(os *sys.OS, config map[string]string, profile bool, ex return fmt.Errorf("security.syscalls.whitelist is mutually exclusive with security.syscalls.blacklist*") } - if expanded && (config["security.privileged"] == "" || !shared.IsTrue(config["security.privileged"])) && os.IdmapSet == nil { + if expanded && (config["security.privileged"] == "" || !shared.IsTrue(config["security.privileged"])) && sysOS.IdmapSet == nil { return fmt.Errorf("LXD doesn't have a uid/gid allocation. In this mode, only privileged containers are supported.") } + if os.Getenv("LXD_UNPRIVILEGED_ONLY") == "true" { + if config["raw.idmap"] != "" { + return fmt.Errorf("Setting raw.idmap is not allowed. Check LXD_UNPRIVILEGED_ONLY.") + } + + if shared.IsTrue(config["security.privileged"]) { + return fmt.Errorf("LXD_UNPRIVILEGED_ONLY is set, only unprivileged containers are allowed.") + } + } + return nil } diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index b40eb99f3..4cf986f25 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -207,6 +207,16 @@ func lxcValidConfig(rawLxc string) error { continue } + if os.Getenv("LXD_UNPRIVILEGED_ONLY") == "true" { + if key == "lxc.idmap" || key == "lxc.id_map" { + return fmt.Errorf("Setting lxc.idmap is not allowed. Check LXD_UNPRIVILEGED_ONLY.") + } + + if key == "lxc.include" { + return fmt.Errorf("Setting lxc.include is not allowed. Check LXD_UNPRIVILEGED_ONLY.") + } + } + // Blacklist some keys if key == "lxc.logfile" || key == "lxc.log.file" { return fmt.Errorf("Setting lxc.logfile is not allowed")
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
