[Devel] Re: how to do not allow to mount /cgroup inside container?

Krzysztof Taraszka krzysztof.taraszka at gnuhosting.net
Tue Aug 25 07:43:15 PDT 2009


2009/8/25 Serge E. Hallyn <serue at us.ibm.com>

> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> > Krzysztof Taraszka wrote:
> >> Hi,
> >>
> >> I was looking for possibility to secure lxc container to do not allow
> 'root
> >> container user'  from changing limits from cgroup. Right now without
> STACK64
> >> or SELinux he can do this easily.
> >> I read the
> http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> >> and decided to use STACK64 kernel mechanism.
> >> Well... mounting cgroup inside container fails (great!, i am looked for
> that
> >> ;)) but networking fails too (interface bring up, sshd bring up,
> connection
> >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> >> fails and I do not know why). I secure my container exactly like in the
> >> cookbook.
>
> Yeah, smack's use of cipso can make things tricky, and it's possible things
> have changed a bit recently.  Although I'm currently running smack in my
> everyday s390 kernel to test checkpointing of its labels, and networking
> is working fine.


> Can you give me a few details - what distro, smack policy, and precise
> kernel
> version are you using, for starters?
>

debian lenny amd64,
kernel 2.6.30.5
lxc-tools from git

lxc1amd64:~# cat /etc/smackaccesses
debian _ rwa
_ debian rwa
_ host rwax
host _ rwax

where "debian" is container, "host" is a host.

I did this:

for f in `find /root/rootfs.debian`; do
    attr -S -s SMACK64 -V debian $f
done

on the container fs.

container startup script look like here:

lxc1amd64:~# cat vs1.sh
#!/bin/sh
cp /bin/dropmacadmin /root/rootfs.debian/bin/
attr -S -s SMACK64 -V debian /root/rootfs.debian/bin/dropmacadmin
echo debian > /proc/self/attr/current
lxc-start -n debian /bin/dropmacadmin /sbin/init

/etc/fstab inside container look like:

debian:~# cat /etc/fstab
tmpfs  /dev/shm   tmpfs  defaults,smackfsroot=debian,smackfsdef=debian  0 0

And here is some output when I tried to do ping to the wp.pl, tried to
apt-get update and tried to ping gateway

debian:~# ping wp.pl
PING wp.pl (212.77.100.101) 56(84) bytes of data.
>From 10.177.128.1 icmp_seq=1 Parameter problem: pointer = 20
>From 10.177.128.1 icmp_seq=2 Parameter problem: pointer = 20
^C
--- wp.pl ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms

debian:~# apt-get update
Err http://ftp.debian.org lenny Release.gpg
  Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71
Protocol error)
Err http://ftp.debian.org lenny/main Translation-en_US
  Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71
Protocol error)
Ign http://ftp.debian.org lenny Release
Ign http://ftp.debian.org lenny/main Packages/DiffIndex
Ign http://ftp.debian.org lenny/main Packages
Err http://ftp.debian.org lenny/main Packages
  Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71
Protocol error)
W: Failed to fetch http://ftp.debian.org/debian/dists/lenny/Release.gpg
Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71
Protocol error)

W: Failed to fetch
http://ftp.debian.org/debian/dists/lenny/main/i18n/Translation-en_US.gz
Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71
Protocol error)

W: Failed to fetch
http://ftp.debian.org/debian/dists/lenny/main/binary-amd64/Packages  Could
not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 Protocol
error)

E: Some index files failed to download, they have been ignored, or old ones
used instead.
debian:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.085 ms
unknown option 86
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.136 ms
unknown option 86
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.116 ms
unknown option 86
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.085/0.112/0.136/0.022 ms

did you changed your smack policy or you have the same as mine?

-- 
Krzysztof Taraszka
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list