Quoting Xavier Gendre ([email protected]): > Hi, > > i wanted to run a container in an unpriviledged container and i am > glad to succes in doing it. The point is that i am not sure if what > i did is acceptable from the security point of view or not... > > Here are the steps i did: > > 1) create an unpriviledged container (lxc.id_map, ...) called 'test'. > > 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in > its config file: > > lxc.mount.auto = cgroup:mixed > > 3) create a basic container called 'p1' with the download template > as root in 'test'. > > 4) in the host, i chown the cgroup hierarchy of 'test' to give it to > the user id mapped to the id 0 in 'test' (this id is 362144 in my > example), > > for T in `ls /sys/fs/cgroup`; do > chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test > done > > 5) succesfully start the container 'p1' in 'test' :-) > > I am not an expert with cgroups and i am wondering if i am letting > the devil enters in my home with that... > > So, what is your opinion: is it a possible security break or is it safe?
Two things to make this safer 1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe its 'tasks' and 'cgroup.procs' files. That way the container can create sub-cgroups but cannot raise its own limits. 2. Only do this for the controllers you definately need. Freezer and memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf (see lxc.system.conf(5)). -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
