[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] LXC: making the private root filesystem more secure



On Thu, Aug 28, 2008 at 11:56:58PM +0100, Daniel P. Berrange wrote:
> When I wrote the private root filesystem stuff for LXC (which I just 
> committed) I noted that we couldn't actually make this secure, because
> someone inside the chroot can just 'mknod' and access the host devices.
> 
> What I completely forgot was that cgroups as of 2.6.26 has device ACLs
> If we place every container in a cgroup (which was planned anyway), then
> we can trivially prevent containers accessing host devices
> 
> One time setup
> 
>     mount -t cgroups  /dev/cgroups
>     mkdir /dev/cgroups/libvirt
>     mkdir /dev/cgroups/libvirt/lxc
> 
> For each new container 'NAME'
> 
>     mkdir /dev/cgroups/libvirt/lxc/{NAME}
>     echo "a" > /dev/cgroups/libvirt/lxc/{NAME}/devices.deny
>     echo "c 1:3 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>     echo "c 1:5 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>     echo "c 1:7 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>     echo "c 5:1 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>     echo "c 1:8 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
>     echo "c 1:9 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
> 
> This denies all devices, and then allows null, zero, full, console, random
> and urandom. Allowing use of 'random' is debatable.

  Sounds fine to me, the first 4 sounds unavoidable, for (u)random I
guess that will be needed for most setup but there we are at the limit
of libvirt, i.e. start to step on the policies for the guests

> The 'devpts' namespace stuff is also needed to provide private PTYs. 
> The 'user' namespace stuff is needed to prevent an unprivileged user
> in the host OS from killing off processes with same UID inside the
> container. There looks to be active patchsets for both of these being
> discussed, so we're getting close to having a genuinely useful
> container based virt driver with LXC

  Which is something I would love to see for Fedora 10, possibly as an
update.

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]