Le 15/06/2015 17:17, Serge Hallyn a écrit :
Quoting Xavier Gendre ([email protected]):
Hi,
i wanted to run a container in an unpriviledged container and i am
glad to succes in doing it. The point is that i am not sure if what
i did is acceptable from the security point of view or not...
Here are the steps i did:
1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
its config file:
lxc.mount.auto = cgroup:mixed
3) create a basic container called 'p1' with the download template
as root in 'test'.
4) in the host, i chown the cgroup hierarchy of 'test' to give it to
the user id mapped to the id 0 in 'test' (this id is 362144 in my
example),
for T in `ls /sys/fs/cgroup`; do
chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
done
5) succesfully start the container 'p1' in 'test' :-)
I am not an expert with cgroups and i am wondering if i am letting
the devil enters in my home with that...
So, what is your opinion: is it a possible security break or is it safe?
Two things to make this safer
1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
its 'tasks' and 'cgroup.procs' files. That way the container can create
sub-cgroups but cannot raise its own limits.
2. Only do this for the controllers you definately need. Freezer and
memory for example. Then set lxc.cgroup.use in /etc/lxc/lxc.conf
(see lxc.system.conf(5)).
-serge
Hello Serge,
thank you for your advices. Indeed, chowning only the directories is
sufficient to start the nested container. I did not have to chown
'tasks' and 'cgroup.procs' in order to simply start it.
Your second point is more obscur for me... For now, i have to chown all
the controllers:
'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer' 'net_cls,net_prio'
'perf_event'
When you say 'need', it applies to the container 'test' or to 'p1' in my
example? If i plan to allow quite general containers to run in my
unpriviledged container, all the controllers should be chowned or is
there some that are definitely not needed?
Thanks,
Xavier
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
