[Devel] Re: LXC PIDs, UIDs, and halt
Serge E. Hallyn
serue at us.ibm.com
Tue Oct 13 12:59:21 PDT 2009
Quoting Dwight Schauer (dschauer at gmail.com):
> On Mon, Oct 12, 2009 at 10:03 AM, Serge E. Hallyn <serue at us.ibm.com> wrote:
>
> > Quoting Dwight Schauer (dschauer at gmail.com):
> > > 4) In a opensuse container when I execute "halt" it is not just the
> > > container that halts, but the controlling host as well that shuts down.
> >
> > Make sure that the container is launched with CAP_SYS_BOOT removed from
> > the capability bounding set.
> >
>
> Ok, well it turns out any container can halt the whole system.
>
> If I do:
> capsh --drop="cap_sys_boot" -- -c "lxc-start -n arch-test0"
> Then do a halt within the container, the halt still works.
> A "reboot" within a container does not reboot the controlling host, the
> container runs the shutdown scripts and then idles.
>
> However, if on the controlling host I do:
> capsh --drop="cap_kill" -c "bash --login -i"
> Then the subsequent shell can't use kill which I have verified.
>
> Well, these performed on the controlling host:
> capsh --drop="cap_sys_boot" -- -c "halt"
> capsh --drop="cap_sys_boot" -- -c "reboot"
>
> Still halt and reboot my system.
>
> So I know that capabilities are working, I just have not figured out yet how
> to prevent containers from being able to halt the controlling host (short of
> simply not executing "halt" within a container or renaming/removing "halt"
> and "shutdown" but then "init 0" would still work).
>
> CAP_SYS_BOOT seems to control reboot, which has not been an issue, I've not
> gotten a container to reboot the controlling host.
HAH! It's upstart, the latest incarnation of init (at least on Fedora). It
takes commands over an abstract unix domain socket, "
/com/ubuntu/upstart/<pid>". If you start your container in a new network
namespace, then halt fails.
I haven't gone through the code enough to see exactly how, then,
upstart (in userspace) authorizes the halt request. Since 'pid'
is encoded in the socket name, i assume it looks at /proc/pid/status.
So it easily could check for CAP_SYS_BOOT \notin pE, or even
check whether it's supposed to be in a container (using some config
files in userspace if somesuch could be agreed upon by everyone, not
really likely).
Oh, yeah, upstart-0.3.11/init/main.c checks whether geteuid()==0.
Wonderful.
-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list