-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/15/2012 11:45 AM, st...@linuxsuite.org wrote: >> Le mardi 15 mai 2012 à 10:34 -0400, st...@linuxsuite.org a >> écrit : >>> Howdy! >>> >>> On debian squeeze with LXC version 0.7.2 , I can mount sysfs >>> in the container.. >>> >>> Isn't this a serious security issue? IE. messing with files in >>> /sys/ as root in a container. >>> >>> Or is sysfs protected somehow in LXC container? Is there a >>> workaround? Or is this issue on the TODO list? Or is this >>> changed in later versions?? >> >> I don't think it is really possible to protect it, unless you >> mount it read-only and drops mount capabilities (which means >> dropping cap_sys_admin, which has probably a lot of other >> drawbacks). Or you need to use some other tricks like SELinux / >> Apparmor / ... > > There are lots of scenarios where the ability to mount sysfs in a > container is not needed, and/or for security reasons is just a bad > idea. > > Isn't it possible to add simple check to prevent mounting sysfs in > a container, and this feature could be configurable either on a > container by container basis or for all containers? Otherwise > getting root in a container allows for possible trashing of entire > host by messing with files in /sysfs?? > > This issue is important, and will limit use of LXC in important > production situations. Other container solutions do not allow for > mounting sysfs in container, example Linux-Vserver > > thoughts? If simple enough and with adequate guidance I may be able > to implement this if it is not on the TODO, and is technically > feasible? But I suppose if it was simple and feasible it would > already be done. Or perhaps understandably there are other > priorities? or conficts with other parts of the system or.. perhaps > better to impliment this through other means like SELinux (trivial > or difficult??) > > thanx - steve
There's currently no easy way for LXC itself to prevent mounting a single filesystem. The easiest way to do this is by using apparmor/selinux which Ubuntu 12.04 LTS does by default (you can only write to a limited subset of /sys that we know is safe). Blocking /sys entirely isn't the right option either as you'll actually need to have access to some of it with recent distributions, at least for some subset of /sys/fs. /sys isn't the only risky filesystem in a container at the moment, /proc in most distros contains /proc/sysrq-trigger which lets a container reboot or shutdown the host and for this one you don't quite have the option not to mount it. The real solution to the problem, as stated by Serge is to use the user namespaces which we hope will land in the upstream kernel very soon. Until then, we can't consider LXC to be root safe and we can only mitigate the issue by using apparmor or selinux (we can't know for a fact that we didn't miss something in the profile, so can't assume it to be safe). - -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJPsoulAAoJEMY4l01keS1nnuAQALBL6Ss06OYATxTuAH/fp4RA 0zRAQ1aabMdzlC6b+G4NJuvJy3IJJkmuzcxERkBQ3My32dYde3SP4cP6vnx6Qhdu epZx+W6lrdRaNuShQYFYp1+mwViGFqUmkqWnofqOPFhsHjNRsoPPN7hx6CTm4Tme 7oQ3kQCJeU902+doHLWbt0SzpxSIcVSZqEqLh8rSosV0ZtEseoE6jUFfvsMRLj86 1zTevENuWyeSxCB3jPOp7edM09iAKmzpev7OVx/L/C5OQJszcycOLc4VgFgOvJZ1 ABOqupPSkWBVz9/uY23K81xuJskRqUWW5UPn+1rPJNNnli5QZ2tYTceI1LnCwIt9 3aGcPqtzTbe8XbwWwNNflYCT3jvctFiac4rp0DPDozJFumyUDCCcqAdSamgDMy1B j+vQEumUNXVODcdkDITwGoCWi50rETHzIMq5jnWWvwq3r0DOJDDcNa+RXGhyhwge RKNaQ8ZboPRlCndtQG4bUJ1do1CFZNp4jlu4hKshF0syjyK0Pe1Znh1puYyOAG90 9tmiegm3dhtZw1MM+xIpIpcdk7/s4aCCyDaCw+otNa9yU7Y38Qwi4Qwy73xn/AtN uvGFI1QxfgqlZmqB1EbsBWuVZPtojjKL/4IKRNdyzheG9dlBydD+s0vTsmjuzWGH LGUv+bJisoCSuBNGnkOp =YDVX -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
