Re: Building a SECURE cointainer using Cgroups ?

["Daniel P. Berrange" <berrange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]

On Mon, Oct 13, 2008 at 02:29:21PM -0500, Serge E. Hallyn wrote:
> Quoting Dave Hansen (dave-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org):
> > On Mon, 2008-10-13 at 11:01 -0700, Tanaka, Thomas wrote:
> > > Yes absolutely that is what I am trying to achieve.
> > 
> > I'm going to put on my Serge hat and bet that you can do it with
> > security modules. :)
> 
> Right, your goal is still not very precise, but a security module -
> smack or selinux - might be your best bet.
> 
> > There's nothing that cgroups or containers gives you that will help with
> > your problem.  We actually haven't touched the fs namespaces at all, yet
> > because they work great as they stand today.
> 
> No, but there is the device whitelist cgroup and capability bounding
> sets - perhaps that is what he is asking about?
> 
> If you have a normal chroot - or a container created with
> clone(CLONE_NEWNS) followed by pivot_root into a completely isolated
> file system tree (say, created using debootstrap), then a root user in
> that pivot_root can simply mount /dev/hda1 /mnt and chroot back into
> that.
> 
> So to make the above a little more secure, you can
> 
> 	1. restrict the container's device whitelist so that it can't
> 	   create or use the devices representing the hard drive.

We follow this appraoch & use the device whitelist capability in libvirt's
LXC driver now for exactly this purpose. Works quite nicely really. There
are still some other holes like a private dev-pts but those are in progress

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|