[libvirt] [PATCHv2] lxc: give RW access to /proc/sys/net/ipv[46] to containers

Daniel P. Berrange berrange at redhat.com
Fri Dec 12 09:33:00 UTC 2014 

On Thu, Dec 11, 2014 at 10:06:40PM +0100, Richard Weinberger wrote:
> On Tue, Dec 9, 2014 at 10:47 AM, Cédric Bosdonnat <cbosdonnat at suse.com> wrote:
> > Some programs want to change some values for the network interfaces
> > configuration in /proc/sys/net/ipv[46] folders. Giving RW access on them
> > allows wicked to work on openSUSE 13.2+.
> >
> > In order to mount those folders RW but keep the rest of /proc/sys RO,
> > we add temporary mounts for these folders before bind-mounting
> > /proc/sys. Those mounts will be skipped if the container doesn't have
> > its own network namespace.
> >
> > It may happen that one of the temporary mounts in /proc/ filesystem
> > isn't available due to a missing kernel feature. We need not to fail
> > in that case.
> 
> IMHO we should drop the read-only /proc mount completely.
> The idea behind having a read-only /proc was to make a container less
> insecure because user namespaces did not exist yet.

Yep, read-only /proc was a (failed) attempt to predict the future - we
originally expected we'd need that even when user namespaces arrived,
but of course in the end it was a waste of time.

> Now as user namespaces are mainline and considered stable we should
> start dropping such hacks
> instead of adding more of them.

I'm trying to think if there are any backwards compatibility problems
if we got rid of read-only /proc but I can't imagine any app out there
is actively checked for a read-only /proc, so we'd probably be safe
to just switch it read-write.

> As consequence of that libvirt has to decide what kind of container it
> wants to support.
> IMHO the only sane way is to enforce user namespaces to provide
> reasonable isolation.
> If an user can do bad things with a read-write /proc it need to be
> fixed in the kernel
> and not in libvirt.
>
> Containers without user namespaces and a root within are insecure and
> broken by design.

Well addition of MAC can make them secure, but of course if you have
MAC, there's again no need to make /proc mount read-only.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list