[libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be known

Chen Hanxiao chenhanxiao at cn.fujitsu.com
Tue Nov 19 02:07:22 UTC 2013



> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: Monday, November 18, 2013 11:57 PM
> To: Chen Hanxiao
> Cc: libvir-list at redhat.com
> Subject: Re: [libvirt] [PATCH v2]lxc: don't mount dir if ownership couldn't be
> known
> 
> On Thu, Nov 14, 2013 at 05:44:40PM +0800, Chen Hanxiao wrote:
> >
> > I used to encounter issues: inside container, we could modify files under /mnt
> >
> > So I think inside user namespace, if we do not have a proper id mapping,
> > we should not bind mount it for containers, or at least set it as readonly.
> 
> I don't see any security problem in what we're doing already
> 
> In the host I ran
> 
>  # mkdir /tmp/otheruser
>  # echo foo > /tmp/otheruser/hello.txt
>  # chown 500:500 /tmp/otheruser/
>  # chown 500:500 /tmp/otheruser/hello.txt
>  # chmod o-rwx /tmp/otheruser/hello.txt
> 
> And the container config has
> 
>   <idmap>
>     <uid start='0' target='1001' count='10'/>
>     <gid start='0' target='1001' count='10'/>
>   </idmap>
> 
>     <filesystem type='mount' accessmode='passthrough'>
>       <source dir='/tmp/otheruser'/>
>       <target dir='/mnt'/>
>     </filesystem>
> 
> 
> If I start the container now
> 
>   # virsh start --console shell
>   Connected to domain shell
>   Escape character is ^]
>   # cd /mnt/
>   # ls -al
>   total 8
>   drwxr-xr-x    2 65534    65534           60 Nov 18 15:51 .
>   drwxr-xr-x    8 0        0             4096 Nov 18 15:52 ..
>   -rw-r-----    1 65534    65534            4 Nov 18 15:51 hello.txt
>   # cat hello.txt
>   cat: can't open 'hello.txt': Permission denied
> 
> Everything appears to be working as designed. The directory is set to
> the overflow users, and so my permissions inside the container are
> restricted to whatever the 'other' bit in the permission mask allows
> for. 'r-x' for the directory lets me see it, but '---' prevents we
> reading the file 'hello.txt'.
> 
> So I don't see what your patch is trying to fix

Sorry for the late reply.

On one of kernel version of 3.11-rcX, I do encounter an issue that we can MODIFY kernel's file
without related permission mask inside container.
Gao said that couldn't be happen and I couldn't reproduce that issue on 3.12. (I lost the original env)

If I could encounter this issue again, I'll let Gao check it with me.

Thanks for your experiment.
> 
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-
> http://www.flickr.com/photos/dberrange/ :|
> |: http://libvirt.org              -o-
> http://virt-manager.org :|
> |: http://autobuild.org       -o-
> http://search.cpan.org/~danberr/ :|
> |: http://entangle-photo.org       -o-
> http://live.gnome.org/gtk-vnc :|






More information about the libvir-list mailing list