On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote: > Hello Matthew, > > Here's an example in on of my containers: > > root@nasty:~# ps ax > PID TTY STAT TIME COMMAND > 1 ? Ss 0:13 init [3] > 44 ? Ss 0:02 /usr/sbin/syslogd > 141 ? Ss 0:00 /usr/sbin/sshd > 144 ? S 0:01 /usr/sbin/crond -l6 > 149 ? Ss 0:25 /usr/sbin/httpd -k start > 2215 ? S 0:14 /usr/sbin/httpd -k start > 7820 ? S 0:36 /usr/sbin/httpd -k start > 8663 ? S 0:00 /usr/sbin/httpd -k start > 10159 ? Ss 0:00 sshd: root@pts/18 > 10161 pts/18 Ss 0:00 -bash > 10175 pts/18 R+ 0:00 ps ax > 26928 ? S 0:05 /usr/sbin/httpd -k start > 26936 ? S 0:05 /usr/sbin/httpd -k start > 26937 ? S 0:05 /usr/sbin/httpd -k start > 26938 ? S 0:05 /usr/sbin/httpd -k start > 26939 ? S 0:05 /usr/sbin/httpd -k start > 28054 ? S 1:41 /usr/sbin/httpd -k start > 29670 ? S 0:15 /usr/sbin/httpd -k start > root@nasty:~# whoami > root > root@nasty:~# mount -t sysfs sysfs /sys > mount: block device sysfs is write-protected, mounting read-only > mount: cannot mount block device sysfs read-only > root@nasty:~# touch /test > root@nasty:~# rm /test > root@nasty:~# cat /sys/kernel/uevent_helper > > root@nasty:~# echo "test" > /sys/kernel/uevent_helper > -bash: /sys/kernel/uevent_helper: Permission denied
Nice job there. Very nice. Not sure what negative impact will ensue from not having /sys mounted in the machine. I know /proc is pretty fatal. Something new to experiment with. > Here's capabilities dropped on the container: > > lxc.cap.drop = sys_module mknod ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ My money is on that line. Nice. > lxc.cap.drop = mac_override kill sys_time > lxc.cap.drop = setfcap setpcap sys_boot Have to think about those others. > Furthermore system has SMACK enabled - Simplified Mandatory Access Control - > a label based MAC. > Each LXC container has its files and processes labeled differently - Labels > which can't write the host system default label, so basically a root in a > container can't make anything harmfull on the host system. > Same can be achieved _less easily_ with Selinux - Look at IBM papers. Just to refine that comment a bit... This looks like a really good jumping off point to start. Written by Serge no less! http://www.ibm.com/developerworks/linux/library/l-lxc-security/ Includes some examples of securing a container with selinux as well. :-/ > Hope this helps, > Olivier Good stuff. Regards, Mike > On Sun, Jul 31, 2011 at 3:10 AM, Matthew Franz <mdfr...@gmail.com> wrote: > > > Had seen some previous discussions before, but are there any ways to > > mitigate this design vulnerability? > > > > http://blog.bofh.it/debian/id_413 > > > > Are there any workarounds? > > > > Thanks, > > > > - mdf > > > > -- > > -- > > Matthew Franz > > mdfr...@gmail.com > > > > > > ------------------------------------------------------------------------------ > > Got Input? Slashdot Needs You. > > Take our quick survey online. Come on, we don't ask for help often. > > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > > http://p.sf.net/sfu/slashdot-survey > > _______________________________________________ > > Lxc-users mailing list > > Lxc-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/lxc-users > > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ Lxc-users mailing list > Lxc-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-users -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
