[lxc-devel] set shmmax for container in lxc-execute
Hi, I am trying to add lxc.shmmax as a configuration option for lxc-execute, so the container would have desired shmmax setting. I run lxc-execute as a regular user and setuid root. When trying to open /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission denied". I checked that all the capabilities are up in PERMITTED and EFFECTIVE set. Does anyone know the reason for not being able to write to /proc/sys/kernel/shmmax? I can work around this problem by setting the euid to 0 before the open/write, but I would like to understand the permission issue. Thanks. Jian -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] set shmmax for container in lxc-execute
On 07/05/2012 06:41 AM, J. Xiao wrote:
> Hi,
>
> I am trying to add lxc.shmmax as a configuration option for lxc-execute,
> so the container would have desired shmmax setting.
> I run lxc-execute as a regular user and setuid root. When trying to open
> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission
> denied". I checked that all the capabilities are up in PERMITTED and
> EFFECTIVE set. Does anyone know the reason for not being able to write
> to /proc/sys/kernel/shmmax? I can work around this problem by setting
> the euid to 0 before the open/write, but I would like to understand the
> permission issue.
>
> Thanks.
>
> Jian
Hi Jian,
I've updated the apparmor profile in Ubuntu 12.10 and an update is
pending to Ubuntu 12.04 LTS to implement the same change.
This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
these are tied to the IPC namespace and so are safe to set.
In the mean time, you can manually apply the change to
/etc/apparmor.d/lxc/lxc-default
diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
lxc-0.7.5/debian/lxc-default.apparmor
--- lxc-0.7.5/debian/lxc-default.apparmor 2012-05-24 15:25:38.0
+
+++ lxc-0.7.5/debian/lxc-default.apparmor 2012-07-05 17:20:00.0
+
@@ -16,6 +16,9 @@
# allow mqueue mounts everywhere
mount fstype=mqueue,
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
@@ -32,7 +35,8 @@
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
- deny @{PROC}/sys/kernel/** wklx,
+ deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+ deny @{PROC}/sys/kernel/*/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
I'm expecting this fix to land within the next two weeks.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] set shmmax for container in lxc-execute
Thanks Stephane for your answer.
However, I am running on RedHat, is there a similar file on RedHat I can
check?
On 7/5/2012 4:26 PM, Stéphane Graber wrote:
> On 07/05/2012 06:41 AM, J. Xiao wrote:
>> Hi,
>>
>> I am trying to add lxc.shmmax as a configuration option for lxc-execute,
>> so the container would have desired shmmax setting.
>> I run lxc-execute as a regular user and setuid root. When trying to open
>> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission
>> denied". I checked that all the capabilities are up in PERMITTED and
>> EFFECTIVE set. Does anyone know the reason for not being able to write
>> to /proc/sys/kernel/shmmax? I can work around this problem by setting
>> the euid to 0 before the open/write, but I would like to understand the
>> permission issue.
>>
>> Thanks.
>>
>> Jian
>
> Hi Jian,
>
> I've updated the apparmor profile in Ubuntu 12.10 and an update is
> pending to Ubuntu 12.04 LTS to implement the same change.
>
> This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
> these are tied to the IPC namespace and so are safe to set.
>
> In the mean time, you can manually apply the change to
> /etc/apparmor.d/lxc/lxc-default
>
> diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
> lxc-0.7.5/debian/lxc-default.apparmor
> --- lxc-0.7.5/debian/lxc-default.apparmor 2012-05-24 15:25:38.0
> +
> +++ lxc-0.7.5/debian/lxc-default.apparmor 2012-07-05 17:20:00.0
> +
> @@ -16,6 +16,9 @@
> # allow mqueue mounts everywhere
> mount fstype=mqueue,
>
> + # allow fuse mounts everywhere
> + mount fstype=fuse.*,
> +
> # the container may never be allowed to mount devpts. If it does, it
> # will remount the host's devpts. We could allow it to do it with
> # the newinstance option (but, right now, we don't).
> @@ -32,7 +35,8 @@
> deny @{PROC}/sysrq-trigger rwklx,
> deny @{PROC}/mem rwklx,
> deny @{PROC}/kmem rwklx,
> - deny @{PROC}/sys/kernel/** wklx,
> + deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> + deny @{PROC}/sys/kernel/*/** wklx,
>
> # deny writes in /sys except for /sys/fs/cgroup, also allow
> # fusectl, securityfs and debugfs to be mounted there (read-only)
>
> I'm expecting this fix to land within the next two weeks.
>
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] set shmmax for container in lxc-execute
On 07/05/2012 04:41 PM, J. Xiao wrote: > Thanks Stephane for your answer. > > However, I am running on RedHat, is there a similar file on RedHat I can > check? I don't know RedHat but as far as I know Ubuntu is the only distro currently restricting access to /proc in containers. RedHat uses SELinux but lxc currently doesn't have any support for it, so it's unlikely to be the problem. Maybe something is dropping some capabilities that are preventing you from changing these limits? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
