Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote: lxc.cap.drop=sys_admin should prevent all mount(2) calls within the container. It seems to work for me. In fact... I thought LXC *always* removed that capability, even if you never mentioned it? Nice! Is there a list of capabilities LXC drops documented somewhere? Thanks Andre -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 03:58 -0800, Dean Mao wrote: Yeah, would be nice to have this list -- I remember looking all over, but I didn't see lxc.console. Is there a comprehensive list of these abilities? So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Andre -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote: So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Ping needs net_raw on Ubuntu. -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Hi, On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote: In the container, I can use the mount command with the -oremount,rw options and then edit the file from the container. So the bind read-only mounts are no protection against changing the filesystem of the container, but even makes it possible to corrupt the _host_ filesystem ... Is there a way to disable that behavior and forbid the mount options Perhaps there should be a drop.caps possibility to prevent remounting from within the container. 8 -- cut -- Note that, obviously, this means all mounts must be done by lxc.mount.entry or prior to starting LXC. Indeed. This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? Cheers, Matto signature.asc Description: Digital signature -- The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Andre Nathan an...@digirati.com.br writes: On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote: lxc.cap.drop=sys_admin should prevent all mount(2) calls within the container. It seems to work for me. In fact... I thought LXC *always* removed that capability, even if you never mentioned it? Nice! Is there a list of capabilities LXC drops documented somewhere? I don't know. The list of capabilities *in general* is the capabilities(7) manpage. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Matto Fransen ma...@matto.nl writes: Hi, On Mon, Feb 07, 2011 at 11:40:47AM +1100, Trent W. Buck wrote: In the container, I can use the mount command with the -oremount,rw options and then edit the file from the container. So the bind read-only mounts are no protection against changing the filesystem of the container, but even makes it possible to corrupt the _host_ filesystem ... Is there a way to disable that behavior and forbid the mount options Perhaps there should be a drop.caps possibility to prevent remounting from within the container. 8 -- cut -- Note that, obviously, this means all mounts must be done by lxc.mount.entry or prior to starting LXC. Indeed. This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? I'm not sure what you mean there, but I do mounting with lxc.mount (or lxc.mount.entry), i.e. within the lxc .conf file. -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan an...@digirati.com.br wrote: On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote: So far, for a container running apache and cron, plus the usual stuff (init, getty, login), I managed to drop these: audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config So far everything seems to be working, but possibly some more will have to be removed from the list. Ping needs net_raw on Ubuntu. In mycase, I need to disable some sysctl from container. For eg, sysctl -w kernel.randomize_va_space (for ASLR) Am still able to do the above after dropping SYS_ADMIN. How do I go about figuring capability vs functionality mapping. ~nirmal -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] Jumping out of a read-only bind mount container
Hi, On Tue, Feb 08, 2011 at 11:19:20AM +1100, Trent W. Buck wrote: Matto Fransen ma...@matto.nl writes: This is a problem with the sshd bind readonly containers, because lxc-init mounts /proc, /dev/shm and /dev/mqueue. With lxc.cap.drop=sys_admin it is therefor not possible to use lxc-init. Would this mean that lxc_setup_fs() should be removed from lxc_init.c and the mounting should be done through the config-file? I'm not sure what you mean there, but I do mounting with lxc.mount (or lxc.mount.entry), i.e. within the lxc .conf file. When you create a sshd read only container with lxc-create -t sshd -n containername then this container gets a init that is mountend to lxc-init. lxc-init does mount /proc, /dev/shm and /dev/mqueue But with lxc.cap.drop=sys_admin it is not possible to mount, and therefor lxc-init returns an error and the container is stopped. Cheers, Matto -- The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users