Thank you! On Tue, 2011-08-02 at 12:13 +0200, Mauras Olivier wrote: > Hello Andre, > > All labels are set from the host, so it shouldn't matter if a > directory is bind mounted or not. > > For the setup, this is actually pretty straightforward: > - You apply the desired label recursively on the container rootdir - > See my python script to ease the process here : > https://svn.coredumb.net/filedetails.php?repname=Coredumb&path=% > 2Fscripts%2Ftrunk%2Fpython%2Fsmack_label.py > - You change your current label to the desired one > - You start the container > - You change back your current label > > Here's a practical example: > # smack_label.py -w -r /srv/lxc/lxc1 lxc1 > # echo "lxc1" > /proc/self/current/attr > # lxc-start -n lxc1 > # echo "_" > /proc/self/current/attr > > You now have a container with all its files and processes labelled > "lxc1". It's now up to you to set the accesses you need. > > > Note: _ or "floor" is the default label > Out from the documentation of Smack: A read or execute access > requested on an object labelled "_" is permitted. > > This is the default behaviour and can sure be overridden. > > If you take my example in my previous mail, i tried to mount sysfs in > the container and got it refused cause mounting it read-only is > impossible. > > In the message from the host: > type=1400 audit(1312278692.783:33840): lsm=SMACK fn=smack_sb_mount > action=denied subject="curse" object="_" requested=w pid=19215 > comm="mount" path="/sys" dev=sysfs ino=1 > > You can see here that object labeled "curse" tried to access sysfs > labeled "_" in write mode and got explicitly refused. > You could change this behaviour by issuing the following command: > echo "curse _ rwx" > /smack/load > > As you guess this is not what you want to do, cause it would let your > container write to the host ;) > > > To summarize, by default only setting a different label - without any > complex configuration at all - to your containers will ensure you that > a root inside a container could only have minimal impact and/or no > impact on the host. > The "smack setup" is only setting up the rules you need to secure your > containers and datas inside them. > All smack documentation is available in the Kernel sources directory. > > > Hope this helps and that i've made myself clear enough, > Olivier > > On Mon, Aug 1, 2011 at 2:27 PM, Andre Nathan <an...@digirati.com.br> > wrote: > Hi Olivier > > On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote: > > > Furthermore system has SMACK enabled - Simplified Mandatory > Access > > Control - a label based MAC. > > Each LXC container has its files and processes labeled > differently - > > Labels which can't write the host system default label, so > basically a > > root in a container can't make anything harmfull on the host > system. > > Same can be achieved _less easily_ with Selinux - Look at > IBM papers. > > > Would you mind sharing your SMACK setup? > > Also, do you know how this applies to bind-mounted > directories? Can I > label a container's files when they are read-only bind-mounted > from the > host? > > Thanks, > Andre > >
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
