how to do not allow to mount /cgroup inside container?

Krzysztof Taraszka krzysztof.taraszka at gnuhosting.net
Tue Aug 25 07:43:15 PDT 2009


2009/8/25 Serge E. Hallyn <serue at us.ibm.com>

> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> > Krzysztof Taraszka wrote:
> >> Hi,
> >>
> >> I was looking for possibility to secure lxc container to do not allow
> 'root
> >> container user'  from changing limits from cgroup. Right now without
> STACK64
> >> or SELinux he can do this easily.
> >> I read the
> http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> >> and decided to use STACK64 kernel mechanism.
> >> Well... mounting cgroup inside container fails (great!, i am looked for
> that
> >> ;)) but networking fails too (interface bring up, sshd bring up,
> connection
> >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> >> fails and I do not know why). I secure my container exactly like in the
> >> cookbook.
>
> Yeah, smack's use of cipso can make things tricky, and it's possible things
> have changed a bit recently.  Although I'm currently running smack in my
> everyday s390 kernel to test checkpointing of its labels, and networking
> is working fine.


> Can you give me a few details - what distro, smack policy, and precise
> kernel
> version are you using, for starters?
>

debian lenny amd64,
kernel 2.6.30.5
lxc-tools from git

lxc1amd64:~# cat /etc/smackaccesses
debian _ rwa
_ debian rwa
_ host rwax
host _ rwax

where "debian" is container, "host" is a host.

I did this:

for f in `find /root/rootfs.debian`; do
    attr -S -s SMACK64 -V debian $f
done

on the container fs.

container startup script look like here:

lxc1amd64:~# cat vs1.sh
#!/bin/sh
cp /bin/dropmacadmin /root/rootfs.debian/bin/
attr -S -s SMACK64 -V debian /root/rootfs.debian/bin/dropmacadmin
echo debian > /proc/self/attr/current
lxc-start -n debian /bin/dropmacadmin /sbin/init

/etc/fstab inside container look like:

debian:~# cat /etc/fstab
tmpfs  /dev/shm   tmpfs  defaults,smackfsroot=debian,smackfsdef=debian  0 0

And here is some output when I tried to do ping to the wp.pl, tried to
apt-get update and tried to ping gateway

debian:~# ping wp.pl
PING wp.pl (212.77.100.101) 56(84) bytes of data.


More information about the Containers mailing list