how to do not allow to mount /cgroup inside container?

Serge E. Hallyn serue at us.ibm.com
Tue Aug 25 13:25:12 PDT 2009


Quoting Krzysztof Taraszka (krzysztof.taraszka at gnuhosting.net):
> 2009/8/25 Serge E. Hallyn <serue at us.ibm.com>
> 
> > Quoting Krzysztof Taraszka (krzysztof.taraszka at gnuhosting.net):
> > > 2009/8/25 Serge E. Hallyn <serue at us.ibm.com>
> > >
> > > > Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> > > > > Krzysztof Taraszka wrote:
> > > > >> Hi,
> > > > >>
> > > > >> I was looking for possibility to secure lxc container to do not
> > allow
> > > > 'root
> > > > >> container user'  from changing limits from cgroup. Right now without
> > > > STACK64
> > > > >> or SELinux he can do this easily.
> > > > >> I read the
> > > >
> > http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> > > > >> and decided to use STACK64 kernel mechanism.
> > > > >> Well... mounting cgroup inside container fails (great!, i am looked
> > for
> > > > that
> > > > >> ;)) but networking fails too (interface bring up, sshd bring up,
> > > > connection
> > > > >> beetween host and container is, but 'mtr', 'ping' even 'apt-get
> > update'
> > > > >> fails and I do not know why). I secure my container exactly like in
> > the
> > > > >> cookbook.
> > > >
> > > > Yeah, smack's use of cipso can make things tricky, and it's possible
> > things
> > > > have changed a bit recently.  Although I'm currently running smack in
> > my
> > > > everyday s390 kernel to test checkpointing of its labels, and
> > networking
> > > > is working fine.
> > >
> > >
> > > > Can you give me a few details - what distro, smack policy, and precise
> > > > kernel
> > > > version are you using, for starters?
> > > >
> > >
> > > debian lenny amd64,
> > > kernel 2.6.30.5
> > > lxc-tools from git
> > >
> > > lxc1amd64:~# cat /etc/smackaccesses
> > > debian _ rwa
> > > _ debian rwa
> > > _ host rwax
> > > host _ rwax
> >
> > Ok, I think what you want to do is use /smack/netlabel as shown around line
> > 425 in linux-2.6/Documentation/Smack.txt.  I haven't played with it yet,
> > but will tomorrow if you don't get a chance.  So basically I think you
> > should
> > be able to do:
> >
> > echo 127.0.0.1 -CIPSO > /smack/netlabel
> > echo 0.0.0.0/0 @      > /smack/netlabel
> >
> > to open up the network.
> >
> > Does that work?
> >
> 
> Yep :))
> Works.

excellent.

> Anyway - are you going to update your cookbook on the ibm webpage?

That's problematic, actually... there is no good process for that.  I've been
waiting for updates to an selinux paper for 2 or 3 years.  I was thinking I'd
post a comment at the bottom of the article instead.

thanks,
-serge


More information about the Containers mailing list