[libvirt] [RFC][PATCH] lxc: drop CAP_SYS_BOOT capability to preventrebooting from inside containers
Ryota Ozaki
ozaki.ryota at gmail.com
Fri May 8 00:52:52 UTC 2009
Hi Serge,
On Fri, May 8, 2009 at 9:12 AM, Serge E. Hallyn <serue at us.ibm.com> wrote:
> Quoting Ryota Ozaki (ozaki.ryota at gmail.com):
>> Hi,
>>
>> Current lxc driver unexpectedly allows users inside containers to reboot
>> host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
>> capability in the bounding set of the init processes in every containers.
>>
>> Note that the patch intends to make it easy to add further capabilities
>> to drop if needed, although I'm not sure which capabilities should be
>> dropped. (We might need to drop CAP_SETFCAP as well to be strict...)
>>
>> Thanks,
>> ozaki-r
>>
>> Signed-off-by: Ryota Ozaki <ozaki.ryota at gmail.com>
>>
>> >From 0e7a7622bc6411bbe76c05c63c6e6e61d379d97b Mon Sep 17 00:00:00 2001
>> From: Ryota Ozaki <ozaki.ryota at gmail.com>
>> Date: Fri, 8 May 2009 04:29:24 +0900
>> Subject: [PATCH] lxc: drop CAP_SYS_BOOT capability to prevent
>> rebooting from inside containers
>>
>> Current lxc driver unexpectedly allows users inside containers to reboot
>> host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
>> capability in the bounding set of the init processes in every containers.
>> ---
>> src/lxc_container.c | 30 ++++++++++++++++++++++++++++++
>> 1 files changed, 30 insertions(+), 0 deletions(-)
>>
>> diff --git a/src/lxc_container.c b/src/lxc_container.c
>> index 3946b84..37ab216 100644
>> --- a/src/lxc_container.c
>> +++ b/src/lxc_container.c
>> @@ -32,6 +32,8 @@
>> #include <sys/ioctl.h>
>> #include <sys/mount.h>
>> #include <sys/wait.h>
>> +#include <sys/prctl.h>
>> +#include <sys/capability.h>
>> #include <unistd.h>
>> #include <mntent.h>
>>
>> @@ -639,6 +641,30 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
>> return lxcContainerSetupExtraMounts(vmDef);
>> }
>>
>> +
>> +static int lxcContainerDropCapabilities( virDomainDefPtr vmDef )
>> +{
>> + int i;
>> + const struct {
>> + int id;
>> + const char *name;
>> + } caps[] = {
>> +#define ID_STRING(name) name, #name
>> + { ID_STRING(CAP_SYS_BOOT) },
>> + };
>> +
>> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
>> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
>> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
>> + "%s", _("failed to drop %s"), caps[i].name);
>> + return -1;
>
> Ideally you should also drop it from pI.
If not drop it, a user in a container could set CAP_SYS_BOOT fI bit of
/bin/reboot on and then the user could gain CAP_SYS_BOOT back through
the fI. Is this understanding right?
Thanks,
ozaki-r
>
>> + }
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +
>> /**
>> * lxcChild:
>> * @argv: Pointer to container arguments
>> @@ -705,6 +731,10 @@ static int lxcContainerChild( void *data )
>> if (lxcContainerEnableInterfaces(argv->nveths, argv->veths) < 0)
>> return -1;
>>
>> + /* drop a set of root capabilities */
>> + if (lxcContainerDropCapabilities(vmDef) < 0)
>> + return -1;
>> +
>> /* this function will only return if an error occured */
>> return lxcContainerExecInit(vmDef);
>> }
>> --
>> 1.6.0.6
>>
>> --
>> Libvir-list mailing list
>> Libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
More information about the libvir-list
mailing list