Am Dienstag, den 05.08.2014, 23:34 +0000 schrieb Serge Hallyn: > Quoting Tom Weber ([email protected]): > > > The patch works in the regard that the container starts and the apparmor > > profile is set. > > But I can't find the Warning message anywhere (tried lxc-start -n webv1 > > -d -l DEBUG) - but maybe thats a more general problem. Oh, and there is > > a typo: Apparmor ount > > > > My opinion as an admin is that this check isn't needed in lxc itself. > > Apparmor spits a warning during aa lxc-profile loading - sane admins > > wouldn't ignore this. > > We're not just talking about "sane admins" though. We're talking about > everyday users using containers. And they're not building their own > misconfigured kernels. It happens, certainly while using the development > release, that you get a kernel for which the apparmor set wasn't ready > yet and mount restrictions weren't ready. > > Maybe the patch should be modified to only allow the container to > proceed if cap_sys_admin is being dropped.
So if I _want_ an insecure container with cap_sys_admin (for whatever reason like testing or development - and yes sometimes I might want this!) you'd force me to install an apparmor mount supported kernel where i'd comment out the mount rules in the apparmor profile? Just to make that thing start? Just because there's a feature in the kernel (and it's nothing else your stat does) doesn't mean that the other end of the system that's responsible for enforcing/using it does really use it. This test implies security where no security is. I dont think a readable /proc/kcore inside a container or access to dmesg is very secure either - as in the default config. I could mount proc on /proc_insecure and create whatever /dev/ nodes I like anywhere I want and lxc wouldn't warn me about this at all. But you wouldn't allow me to start a container if the _kernel_ lacks aa-mount support and i don't drop cap_sys_admin? Really? This test belongs in lxc-checkconfig and should print out a big fat warning - right now it's not even mentioned there. Regards, Tom _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
