Re: [libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers
On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote:
Am 13.02.2014 18:16, schrieb Daniel P. Berrange:
> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote:
>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD
>> to containers.
>> Currently it is not safe to allow a container access to a resource controller.
>>
>
> We *do* want to allow all controllers to be visible to the container.
> eg it is valid for them to have read access to view things like block
> I/O and CPU accounting information. We just don't want to make it writable
> for usernamespaces.
Okay. But what if one does not enable user namespaces?
Then the controllers are writable within the container.
If you don't enable user namespaces, then containers should be considered
insecure unless all processes run non-root and all your filesystems are
mounted no-setuid to prevent escalation fo privileges back to root, or you
have SELinux applying controls.
So once ypou have the requirement that security depends on being non-root
then the cgroups are no longer writable, except when your consider is
already insecure for other reasons.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|