From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Dwight Schauer <dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: LXC PIDs, UIDs, and halt
Date: Tue, 13 Oct 2009 14:59:21 -0500 [thread overview]
Message-ID: <20091013195921.GA20345@us.ibm.com> (raw)
In-Reply-To: <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> On Mon, Oct 12, 2009 at 10:03 AM, Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
>
> > Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> > > 4) In a opensuse container when I execute "halt" it is not just the
> > > container that halts, but the controlling host as well that shuts down.
> >
> > Make sure that the container is launched with CAP_SYS_BOOT removed from
> > the capability bounding set.
> >
>
> Ok, well it turns out any container can halt the whole system.
>
> If I do:
> capsh --drop="cap_sys_boot" -- -c "lxc-start -n arch-test0"
> Then do a halt within the container, the halt still works.
> A "reboot" within a container does not reboot the controlling host, the
> container runs the shutdown scripts and then idles.
>
> However, if on the controlling host I do:
> capsh --drop="cap_kill" -c "bash --login -i"
> Then the subsequent shell can't use kill which I have verified.
>
> Well, these performed on the controlling host:
> capsh --drop="cap_sys_boot" -- -c "halt"
> capsh --drop="cap_sys_boot" -- -c "reboot"
>
> Still halt and reboot my system.
>
> So I know that capabilities are working, I just have not figured out yet how
> to prevent containers from being able to halt the controlling host (short of
> simply not executing "halt" within a container or renaming/removing "halt"
> and "shutdown" but then "init 0" would still work).
>
> CAP_SYS_BOOT seems to control reboot, which has not been an issue, I've not
> gotten a container to reboot the controlling host.
HAH! It's upstart, the latest incarnation of init (at least on Fedora). It
takes commands over an abstract unix domain socket, "
/com/ubuntu/upstart/<pid>". If you start your container in a new network
namespace, then halt fails.
I haven't gone through the code enough to see exactly how, then,
upstart (in userspace) authorizes the halt request. Since 'pid'
is encoded in the socket name, i assume it looks at /proc/pid/status.
So it easily could check for CAP_SYS_BOOT \notin pE, or even
check whether it's supposed to be in a container (using some config
files in userspace if somesuch could be agreed upon by everyone, not
really likely).
Oh, yeah, upstart-0.3.11/init/main.c checks whether geteuid()==0.
Wonderful.
-serge
next prev parent reply other threads:[~2009-10-13 19:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-11 16:30 LXC PIDs, UIDs, and halt Dwight Schauer
[not found] ` <68e6eac60910110930q74358967o19e3d0e88e111bd5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-12 15:03 ` Serge E. Hallyn
[not found] ` <20091012150355.GA5783-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 5:06 ` Dwight Schauer
[not found] ` <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-13 19:59 ` Serge E. Hallyn [this message]
[not found] ` <68e6eac60910131318w56d9394bs9191f989b16e34f3@mail.gmail.com>
[not found] ` <20091014040222.GA4710@us.ibm.com>
[not found] ` <20091014040222.GA4710-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-15 0:42 ` Dwight Schauer
[not found] ` <68e6eac60910141742h557f558cke749cd76d5706f83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-15 3:13 ` Serge E. Hallyn
2009-10-19 19:17 ` Dwight Schauer
[not found] ` <68e6eac60910191217s5d295e54ta6b0c528dce9ce55-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-19 22:24 ` Serge E. Hallyn
[not found] ` <20091019222445.GA16774-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 1:04 ` Dwight Schauer
[not found] ` <68e6eac60910201804h3f243cdel5a437701bf9c00ac-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-21 1:08 ` Dwight Schauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091013195921.GA20345@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.