[libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers

Daniel P. Berrange berrange at redhat.com
Fri Feb 14 10:30:44 UTC 2014


On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote:
> Am 13.02.2014 18:16, schrieb Daniel P. Berrange:
> > On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
> >> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
> >> to containers.
> >> Currently it is not safe to allow a container access to a resource controller.
> >>
> > 
> > We *do* want to allow all controllers to be visible to the container.
> > eg it is valid for them to have read access to view things like block
> > I/O and CPU accounting information. We just don't want to make it writable
> > for usernamespaces.
> 
> Okay. But what if one does not enable user namespaces?
> Then the controllers are writable within the container.

If you don't enable user namespaces, then containers should be considered
insecure unless all processes run non-root and all your filesystems are
mounted no-setuid to prevent escalation fo privileges back to root, or you
have SELinux applying controls.

So once ypou have the requirement that security depends on being non-root
then the cgroups are no longer writable, except when your consider is
already insecure for other reasons.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list