Re: [lxc-devel] [RFC] rootfs pinning
On 09/12/2013 01:27:07 PM, Christian Seiler wrote: > Hi there, > > just a quick question: currently, rootfs is pinned with a .hold file > in > the parent directory (which btw. does not help against file systems > that > are already mounted on the host but directly in the rootfs directory). > The problem with the .hold file is that it doesn't make the directory > necessarily pretty; I tend to mount all rootfs to /srv/lxc/$container > (config remaining in /var/lib/lxc), and then when doing a ls > /srv/lxc, I > see tons of .hold files. (I'm not even sure that they are removed > after > container termination - but even if they are, the default state of a > typical system tends to be that at least some containers are > running...) > > Couldn't we just open $rootfs/lxc.hold for writing, keep the fd (as > current pinfd) and then unlink (!) the file directly? According to > POSIX > semantics, the file is then still open and the pinning should work > (now > also for the above case), but there are no files lying around anymore. > (Note: I didn't test that, it could well be that that doesn't work.) > > Thoughts? Why doesn't keeping a file open to the directory itself work? (I'm assuming it doesn't, I'm wondering why.) Rob -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH RFC 0/1] refactor AppArmor into LSM backend, add SELinux support
This change proposes to add support to LXC for additional LSMs (Linux Security Module), namely SELinux. It does so by turning the existing AppArmor calls into generic lsm_* calls, which are then handled by one of three LSM drivers: AppArmor, SELinux, or a nop driver. Adding a SMACK driver should be fairly simple. The nop driver is used when LXC has compiled in support for AppArmor or SELinux but neither is enabled in the run time environment. One minor point of discussion should be whether to keep the aa_profile configuration item and have a separate selinux_context item, or to use the approach taken in this patch which is to genericize the name to lsm_label. Using a single lsm_label implies that the policies will never be used together, which I believe is likely a safe assumption. A larger issue is the semantics around when lxc changes profile/context. Currently, the AppArmor backend uses aa_change_profile() which changes the profile immediately. No analog exists in SELinux, so the SELinux backend uses setexeccon_raw() which only takes effect upon exec(2). We could change the AppArmor backend to use aa_change_onexec() to give them similar semantics, but this would possibly break callers relying on the "immediate change" behavior (in particular users of the new attach API calling a function). I don't know how widespread this reliance might be, but I don't think that model is supportable in SELinux. The current patch does not try to resolve the difference, I guess one option is to just leave it that way. Definitely looking for some guidance here. I tested this with Ubuntu to try and make sure I didn't break AppArmor (in both lxc-start and lxc-attach, cat /proc/self/attr/current show "lxc-container-default (enforce)"). I've also tested this on OracleLinux with an in progress SELinux policy module which I can post if its useful. I've also build tested on Fedora and run unconfined, but have not written a policy there. -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH RFC 1/1] refactor AppArmor into LSM backend, add SELinux support
- fix Oracle template mounting of proc and sysfs, needed when using SELinux Signed-off-by: Dwight Engen --- configure.ac| 14 doc/lxc.conf.sgml.in| 29 ++- src/lxc/Makefile.am | 21 - src/lxc/apparmor.c | 219 src/lxc/apparmor.h | 56 - src/lxc/attach.c| 31 +++ src/lxc/attach.h| 2 +- src/lxc/conf.c | 40 ++--- src/lxc/conf.h | 11 +-- src/lxc/confile.c | 32 +++ src/lxc/lsm/apparmor.c | 168 + src/lxc/lsm/lsm.c | 154 ++ src/lxc/lsm/lsm.h | 51 +++ src/lxc/lsm/nop.c | 45 ++ src/lxc/lsm/selinux.c | 101 ++ src/lxc/start.c | 13 ++- src/lxc/start.h | 3 - templates/lxc-oracle.in | 9 +- 18 files changed, 630 insertions(+), 369 deletions(-) delete mode 100644 src/lxc/apparmor.c delete mode 100644 src/lxc/apparmor.h create mode 100644 src/lxc/lsm/apparmor.c create mode 100644 src/lxc/lsm/lsm.c create mode 100644 src/lxc/lsm/lsm.h create mode 100644 src/lxc/lsm/nop.c create mode 100644 src/lxc/lsm/selinux.c diff --git a/configure.ac b/configure.ac index cffbdac..9d77bb5 100644 --- a/configure.ac +++ b/configure.ac @@ -115,6 +115,20 @@ AM_COND_IF([ENABLE_APPARMOR], AC_CHECK_LIB([apparmor], [aa_change_profile],[],[AC_MSG_ERROR([You must install the AppArmor development package in order to compile lxc])]) AC_SUBST([APPARMOR_LIBS], [-lapparmor])]) +# SELinux +AC_ARG_ENABLE([selinux], + [AC_HELP_STRING([--enable-selinux], [enable SELinux support])], + [], [enable_selinux=check]) + +if test "x$enable_selinux" = xcheck; then + AC_CHECK_LIB([selinux],[setexeccon_raw],[enable_selinux=yes],[enable_selinux=no]) +fi +AM_CONDITIONAL([ENABLE_SELINUX], [test "x$enable_selinux" = "xyes"]) +AM_COND_IF([ENABLE_SELINUX], + [AC_CHECK_HEADER([selinux/selinux.h],[],[AC_MSG_ERROR([You must install the SELinux development package in order to compile lxc])]) + AC_CHECK_LIB([selinux], [setexeccon_raw],[],[AC_MSG_ERROR([You must install the SELinux development package in order to compile lxc])]) + AC_SUBST([SELINUX_LIBS])]) + # Seccomp syscall filter AC_ARG_ENABLE([seccomp], [AC_HELP_STRING([--enable-seccomp], [enable seccomp])], diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index dc416e8..8991220 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -796,7 +796,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - lxc.aa_profile + lxc.lsm_label @@ -804,7 +804,32 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA be run. To specify that the container should be unconfined, use - lxc.aa_profile = unconfined + lxc.lsm_label = unconfined + + + + + + + SELinux context + + If lxc was compiled and installed with SELinux support, and the host + system has SELinux enabled, then the SELinux context under which the + container should be run can be specified in the container + configuration. The default is unconfined_t, + which means that lxc will not attempt to change contexts. + + + + + lxc.lsm_label + + + + Specify the SELinux context under which the container should + be run or unconfined_t. For example + + lxc.lsm_label = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023 diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index f19a994..873b97d 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -37,6 +37,18 @@ sodir=$(libdir) # use PROGRAMS to avoid complains from automake so_PROGRAMS = liblxc.so +LSM_SOURCES = \ + lsm/nop.c \ + lsm/lsm.h lsm/lsm.c + +if ENABLE_APPARMOR +LSM_SOURCES += lsm/apparmor.c +endif + +if ENABLE_SELINUX +LSM_SOURCES += lsm/selinux.c +endif + liblxc_so_SOURCES = \ arguments.c arguments.h \ bdev.c bdev.h \ @@ -73,10 +85,11 @@ liblxc_so_SOURCES = \ af_unix.c af_unix.h \ \ lxcutmp.c lxcutmp.h \ - apparmor.c apparmor.h \ lxclock.h lxclock.c \ lxccontainer.c lxccontainer.h \ - version.c version.h + version.c version.h \ + \ + $(LSM_SOURCES) if IS_BIONIC liblxc_so_SOURCES += \ @@ -107,6 +120,10 @@ if ENABLE_APPARMOR AM_CFLAGS += -DHAVE_APPARMOR endif +if ENABLE_SELINUX +AM_CFLAGS += -DHAVE_SELINUX +endif + if HAVE_NEWUIDMAP AM_CFLAGS += -DHAVE_NEWUIDMAP endif diff --git a/src/lxc/apparmor.c b/src/lxc/apparmor.c deleted file mode 100644 index 4dad801..000 --- a/src/lxc/apparmor
