how to do not allow to mount /cgroup inside container?

Serge E. Hallyn serue at us.ibm.com
Tue Aug 25 10:45:09 PDT 2009


Quoting Krzysztof Taraszka (krzysztof.taraszka at gnuhosting.net):
> 2009/8/25 Serge E. Hallyn <serue at us.ibm.com>
> 
> > Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> > > Krzysztof Taraszka wrote:
> > >> Hi,
> > >>
> > >> I was looking for possibility to secure lxc container to do not allow
> > 'root
> > >> container user'  from changing limits from cgroup. Right now without
> > STACK64
> > >> or SELinux he can do this easily.
> > >> I read the
> > http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> > >> and decided to use STACK64 kernel mechanism.
> > >> Well... mounting cgroup inside container fails (great!, i am looked for
> > that
> > >> ;)) but networking fails too (interface bring up, sshd bring up,
> > connection
> > >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> > >> fails and I do not know why). I secure my container exactly like in the
> > >> cookbook.
> >
> > Yeah, smack's use of cipso can make things tricky, and it's possible things
> > have changed a bit recently.  Although I'm currently running smack in my
> > everyday s390 kernel to test checkpointing of its labels, and networking
> > is working fine.
> 
> 
> > Can you give me a few details - what distro, smack policy, and precise
> > kernel
> > version are you using, for starters?
> >
> 
> debian lenny amd64,
> kernel 2.6.30.5
> lxc-tools from git
> 
> lxc1amd64:~# cat /etc/smackaccesses
> debian _ rwa
> _ debian rwa
> _ host rwax
> host _ rwax

Ok, I think what you want to do is use /smack/netlabel as shown around line
425 in linux-2.6/Documentation/Smack.txt.  I haven't played with it yet,
but will tomorrow if you don't get a chance.  So basically I think you should
be able to do:

echo 127.0.0.1 -CIPSO > /smack/netlabel
echo 0.0.0.0/0 @      > /smack/netlabel

to open up the network.

Does that work?

-serge


More information about the Containers mailing list