Re: [libvirt] [PATCH 2/2] lxc: Only delegate VIR_CGROUP_CONTROLLER_SYSTEMD to containers

On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote: > Am 13.02.2014 18:16, schrieb Daniel P. Berrange: >> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: >>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD >>> to containers. >>> Currently it is not safe to allow a container access to a resource controller. >>> >> >> We *do* want to allow all controllers to be visible to the container. >> eg it is valid for them to have read access to view things like block >> I/O and CPU accounting information. We just don't want to make it writable >> for usernamespaces. > > Okay. But what if one does not enable user namespaces? > Then the controllers are writable within the container. If you don't enable user namespaces, then containers should be considered insecure unless all processes run non-root and all your filesystems are mounted no-setuid to prevent escalation fo privileges back to root, or you have SELinux applying controls.

So once ypou have the requirement that security depends on being non-root then the cgroups are no longer writable, except when your consider is already insecure for other reasons.