On Wed, Oct 18, 2017 at 09:00:17PM +0300, mxs kolo wrote:
Hi all
Each lxc container on node have mounted tmpfs for cgroups tree:
[root-inside-lxc@tst1 ~]# mount | grep cgroups
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/cpuset type cgroup
(rw,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/memory type cgroup
(rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/devices type cgroup
(rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup
(rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup
(rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup
(rw,nosuid,nodev,noexec,relatime,net_prio,net_cls)
cgroup on /sys/fs/cgroup/perf_event type cgroup
(rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/systemd type cgroup
(rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/hugetlb type cgroup
(rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
It's by default, at least in my case.
Problem is, that it's full cgroups tree - from hardware node and from
all another containers on node.
[root-inside-lxc@tst1 ~]# for i in `ls
/sys/fs/cgroup/devices/machine.slice/machine-lxc*/devices.list`; do
echo $i; cat $i; done
/sys/fs/cgroup/devices/machine.slice/machine-lxc\x2d10297\x2dtst2.scope/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 10:229 rwm
b 253:6 rw
c 136:* rwm
/sys/fs/cgroup/devices/machine.slice/machine-lxc\x2d9951\x2dtst1.scope/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 10:229 rwm
b 253:7 rw
c 136:* rwm
Hardware node file, view inside tst1 container:
[root-inside-lxc@tst1 ~]# cat /sys/fs/cgroup/devices/devices.list
a *:* rwm
What is best way to prevent viewing and editing of all cgroups
structures except belonging to current lxc container (selinux,
apparmor ) ?
Why libvirt mount /sys/fs/cgroup/* inside container as rw ?
We use kernel 3.10.0-693.2.2.el7.x86_64 and XFS and therefore our
containers are privileged. Yes, we know that in such containers root
can use SysRq at least for reboot hardware node. But problem with
cgroups can be more hidden and cryptic.
p.s.
As show short test, root user can disable device zero on node
[root-lxc@tst1 ~]# echo "c 1:5 rwm" > /sys/fs/cgroup/devices/devices.deny
or all devices in another container
[root-lxc@tst1 ~]# echo "a *:* rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-lxc\x2d10297\x2dtst2.scope/devices.deny
There's only two ways to make a container secure
- Use user namespaces
- Apply SELinux policy to the container
If neither of those are used, we don't try to play games to hide stuff
like cgroups from root inside a container, as that's just security through
obscurity
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|