Re: how to do not allow to mount /cgroup inside container?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org
Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org,
	lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: how to do not allow to mount /cgroup inside container?
Date: Tue, 25 Aug 2009 12:45:09 -0500	[thread overview]
Message-ID: <20090825174509.GA26679@us.ibm.com> (raw)
In-Reply-To: <ac1c4bf20908250743t9c30c27ud3ff649003465334-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>

Quoting Krzysztof Taraszka (krzysztof.taraszka-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org):
> 2009/8/25 Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
> 
> > Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org):
> > > Krzysztof Taraszka wrote:
> > >> Hi,
> > >>
> > >> I was looking for possibility to secure lxc container to do not allow
> > 'root
> > >> container user'  from changing limits from cgroup. Right now without
> > STACK64
> > >> or SELinux he can do this easily.
> > >> I read the
> > http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> > >> and decided to use STACK64 kernel mechanism.
> > >> Well... mounting cgroup inside container fails (great!, i am looked for
> > that
> > >> ;)) but networking fails too (interface bring up, sshd bring up,
> > connection
> > >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> > >> fails and I do not know why). I secure my container exactly like in the
> > >> cookbook.
> >
> > Yeah, smack's use of cipso can make things tricky, and it's possible things
> > have changed a bit recently.  Although I'm currently running smack in my
> > everyday s390 kernel to test checkpointing of its labels, and networking
> > is working fine.
> 
> 
> > Can you give me a few details - what distro, smack policy, and precise
> > kernel
> > version are you using, for starters?
> >
> 
> debian lenny amd64,
> kernel 2.6.30.5
> lxc-tools from git
> 
> lxc1amd64:~# cat /etc/smackaccesses
> debian _ rwa
> _ debian rwa
> _ host rwax
> host _ rwax

Ok, I think what you want to do is use /smack/netlabel as shown around line
425 in linux-2.6/Documentation/Smack.txt.  I haven't played with it yet,
but will tomorrow if you don't get a chance.  So basically I think you should
be able to do:

echo 127.0.0.1 -CIPSO > /smack/netlabel
echo 0.0.0.0/0 @      > /smack/netlabel

to open up the network.

Does that work?

-serge

next prev parent reply	other threads:[~2009-08-25 17:45 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-25 12:17 how to do not allow to mount /cgroup inside container? Krzysztof Taraszka
     [not found] ` <ac1c4bf20908250517j43d49f9fv1b5d6d5beae8aa-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-25 12:47   ` Daniel Lezcano
     [not found]     ` <4A93DD67.5030905-GANU6spQydw@public.gmane.org>
2009-08-25 14:05       ` Serge E. Hallyn
     [not found]         ` <20090825140537.GA19644-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-25 14:43           ` Krzysztof Taraszka
     [not found]             ` <ac1c4bf20908250743t9c30c27ud3ff649003465334-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-25 14:51               ` Krzysztof Taraszka
2009-08-25 17:45               ` Serge E. Hallyn [this message]
     [not found]                 ` <20090825174509.GA26679-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-25 20:12                   ` Krzysztof Taraszka
     [not found]                     ` <ac1c4bf20908251312w11ac752vb9298beae15f6536-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-25 20:25                       ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090825174509.GA26679@us.ibm.com \
    --to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org \
    --cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.