[Devel] Re: Building a SECURE cointainer using Cgroups ?
Daniel P. Berrange
berrange at redhat.com
Tue Oct 14 01:53:39 PDT 2008
On Mon, Oct 13, 2008 at 02:29:21PM -0500, Serge E. Hallyn wrote:
> Quoting Dave Hansen (dave at linux.vnet.ibm.com):
> > On Mon, 2008-10-13 at 11:01 -0700, Tanaka, Thomas wrote:
> > > Yes absolutely that is what I am trying to achieve.
> >
> > I'm going to put on my Serge hat and bet that you can do it with
> > security modules. :)
>
> Right, your goal is still not very precise, but a security module -
> smack or selinux - might be your best bet.
>
> > There's nothing that cgroups or containers gives you that will help with
> > your problem. We actually haven't touched the fs namespaces at all, yet
> > because they work great as they stand today.
>
> No, but there is the device whitelist cgroup and capability bounding
> sets - perhaps that is what he is asking about?
>
> If you have a normal chroot - or a container created with
> clone(CLONE_NEWNS) followed by pivot_root into a completely isolated
> file system tree (say, created using debootstrap), then a root user in
> that pivot_root can simply mount /dev/hda1 /mnt and chroot back into
> that.
>
> So to make the above a little more secure, you can
>
> 1. restrict the container's device whitelist so that it can't
> create or use the devices representing the hard drive.
We follow this appraoch & use the device whitelist capability in libvirt's
LXC driver now for exactly this purpose. Works quite nicely really. There
are still some other holes like a private dev-pts but those are in progress
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list