[libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers

Richard Weinberger richard at nod.at
Fri Feb 14 11:11:13 UTC 2014


Am 14.02.2014 11:30, schrieb Daniel P. Berrange:
> On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote:
>> Am 13.02.2014 18:16, schrieb Daniel P. Berrange:
>>> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
>>>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
>>>> to containers.
>>>> Currently it is not safe to allow a container access to a resource controller.
>>>>
>>>
>>> We *do* want to allow all controllers to be visible to the container.
>>> eg it is valid for them to have read access to view things like block
>>> I/O and CPU accounting information. We just don't want to make it writable
>>> for usernamespaces.
>>
>> Okay. But what if one does not enable user namespaces?
>> Then the controllers are writable within the container.
> 
> If you don't enable user namespaces, then containers should be considered
> insecure unless all processes run non-root and all your filesystems are
> mounted no-setuid to prevent escalation fo privileges back to root, or you
> have SELinux applying controls.

Yeah, I hope all users know that too. Do you plan to support non-user namespace
container in future?

Maybe one should communicate this to docker.io folks as well. *scnr*

> So once ypou have the requirement that security depends on being non-root
> then the cgroups are no longer writable, except when your consider is
> already insecure for other reasons.

Yep.

Thanks,
//richard




More information about the libvir-list mailing list