[libvirt] LXC: making the private root filesystem more secure
Daniel Veillard
veillard at redhat.com
Thu Sep 4 05:56:59 UTC 2008
On Thu, Aug 28, 2008 at 11:56:58PM +0100, Daniel P. Berrange wrote:
> When I wrote the private root filesystem stuff for LXC (which I just
> committed) I noted that we couldn't actually make this secure, because
> someone inside the chroot can just 'mknod' and access the host devices.
>
> What I completely forgot was that cgroups as of 2.6.26 has device ACLs
> If we place every container in a cgroup (which was planned anyway), then
> we can trivially prevent containers accessing host devices
>
> One time setup
>
> mount -t cgroups /dev/cgroups
> mkdir /dev/cgroups/libvirt
> mkdir /dev/cgroups/libvirt/lxc
>
> For each new container 'NAME'
>
> mkdir /dev/cgroups/libvirt/lxc/{NAME}
> echo "a" > /dev/cgroups/libvirt/lxc/{NAME}/devices.deny
> echo "c 1:3 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> echo "c 1:5 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> echo "c 1:7 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> echo "c 5:1 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> echo "c 1:8 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> echo "c 1:9 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>
> This denies all devices, and then allows null, zero, full, console, random
> and urandom. Allowing use of 'random' is debatable.
Sounds fine to me, the first 4 sounds unavoidable, for (u)random I
guess that will be needed for most setup but there we are at the limit
of libvirt, i.e. start to step on the policies for the guests
> The 'devpts' namespace stuff is also needed to provide private PTYs.
> The 'user' namespace stuff is needed to prevent an unprivileged user
> in the host OS from killing off processes with same UID inside the
> container. There looks to be active patchsets for both of these being
> discussed, so we're getting close to having a genuinely useful
> container based virt driver with LXC
Which is something I would love to see for Fedora 10, possibly as an
update.
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list