From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Dwight Schauer <dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
Subject: Re: LXC PIDs, UIDs, and halt
Date: Tue, 13 Oct 2009 14:59:21 -0500 [thread overview]
Message-ID: <20091013195921.GA20345@us.ibm.com> (raw)
In-Reply-To: <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> On Mon, Oct 12, 2009 at 10:03 AM, Serge E. Hallyn <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org> wrote:
>
> > Quoting Dwight Schauer (dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org):
> > > 4) In a opensuse container when I execute "halt" it is not just the
> > > container that halts, but the controlling host as well that shuts down.
> >
> > Make sure that the container is launched with CAP_SYS_BOOT removed from
> > the capability bounding set.
> >
>
> Ok, well it turns out any container can halt the whole system.
>
> If I do:
> capsh --drop="cap_sys_boot" -- -c "lxc-start -n arch-test0"
> Then do a halt within the container, the halt still works.
> A "reboot" within a container does not reboot the controlling host, the
> container runs the shutdown scripts and then idles.
>
> However, if on the controlling host I do:
> capsh --drop="cap_kill" -c "bash --login -i"
> Then the subsequent shell can't use kill which I have verified.
>
> Well, these performed on the controlling host:
> capsh --drop="cap_sys_boot" -- -c "halt"
> capsh --drop="cap_sys_boot" -- -c "reboot"
>
> Still halt and reboot my system.
>
> So I know that capabilities are working, I just have not figured out yet how
> to prevent containers from being able to halt the controlling host (short of
> simply not executing "halt" within a container or renaming/removing "halt"
> and "shutdown" but then "init 0" would still work).
>
> CAP_SYS_BOOT seems to control reboot, which has not been an issue, I've not
> gotten a container to reboot the controlling host.
HAH! It's upstart, the latest incarnation of init (at least on Fedora). It
takes commands over an abstract unix domain socket, "
/com/ubuntu/upstart/<pid>". If you start your container in a new network
namespace, then halt fails.
I haven't gone through the code enough to see exactly how, then,
upstart (in userspace) authorizes the halt request. Since 'pid'
is encoded in the socket name, i assume it looks at /proc/pid/status.
So it easily could check for CAP_SYS_BOOT \notin pE, or even
check whether it's supposed to be in a container (using some config
files in userspace if somesuch could be agreed upon by everyone, not
really likely).
Oh, yeah, upstart-0.3.11/init/main.c checks whether geteuid()==0.
Wonderful.
-serge
next prev parent reply other threads:[~2009-10-13 19:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-11 16:30 LXC PIDs, UIDs, and halt Dwight Schauer
[not found] ` <68e6eac60910110930q74358967o19e3d0e88e111bd5-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-12 15:03 ` Serge E. Hallyn
[not found] ` <20091012150355.GA5783-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-13 5:06 ` Dwight Schauer
[not found] ` <68e6eac60910122206i7c39fca0u52ab037748217336-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-13 19:59 ` Serge E. Hallyn [this message]
[not found] ` <68e6eac60910131318w56d9394bs9191f989b16e34f3@mail.gmail.com>
[not found] ` <20091014040222.GA4710@us.ibm.com>
[not found] ` <20091014040222.GA4710-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-15 0:42 ` Dwight Schauer
[not found] ` <68e6eac60910141742h557f558cke749cd76d5706f83-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-15 3:13 ` Serge E. Hallyn
2009-10-19 19:17 ` Dwight Schauer
[not found] ` <68e6eac60910191217s5d295e54ta6b0c528dce9ce55-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-19 22:24 ` Serge E. Hallyn
[not found] ` <20091019222445.GA16774-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-21 1:04 ` Dwight Schauer
[not found] ` <68e6eac60910201804h3f243cdel5a437701bf9c00ac-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-10-21 1:08 ` Dwight Schauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091013195921.GA20345@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=dschauer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox