On Thu, Aug 28, 2008 at 11:56:58PM +0100, Daniel P. Berrange wrote:
When I wrote the private root filesystem stuff for LXC (which I just committed) I noted that we couldn't actually make this secure, because someone inside the chroot can just 'mknod' and access the host devices.
What I completely forgot was that cgroups as of 2.6.26 has device ACLs If we place every container in a cgroup (which was planned anyway), then we can trivially prevent containers accessing host devices
One time setup
mount -t cgroups /dev/cgroups mkdir /dev/cgroups/libvirt mkdir /dev/cgroups/libvirt/lxc
For each new container 'NAME'
mkdir /dev/cgroups/libvirt/lxc/{NAME} echo "a" > /dev/cgroups/libvirt/lxc/{NAME}/devices.deny echo "c 1:3 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow echo "c 1:5 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow echo "c 1:7 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow echo "c 5:1 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow echo "c 1:8 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow echo "c 1:9 rwm" > /dev/cgroups/libvirt/lxc/{NAME}/devices.allow
This denies all devices, and then allows null, zero, full, console, random and urandom. Allowing use of 'random' is debatable.
Sounds fine to me, the first 4 sounds unavoidable, for (u)random I guess that will be needed for most setup but there we are at the limit of libvirt, i.e. start to step on the policies for the guests
The 'devpts' namespace stuff is also needed to provide private PTYs. The 'user' namespace stuff is needed to prevent an unprivileged user in the host OS from killing off processes with same UID inside the container. There looks to be active patchsets for both of these being discussed, so we're getting close to having a genuinely useful container based virt driver with LXC
Which is something I would love to see for Fedora 10, possibly as an update. Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/