[lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device
Seth Forshee
seth.forshee at canonical.com
Mon May 26 15:45:36 UTC 2014
On Mon, May 26, 2014 at 11:32:05AM -0400, Michael H. Warfield wrote:
> On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote:
> > On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > One question about this patch.
> > >
> > > Why don't you use the devices cgroup check if the root user in that namespace is allowed to use this device?
> > >
> > > This way you can be sure that the root in that namespace can not access devices to which the host system did not gave
> > > him access to.
>
> > That might be possible, but I don't want to require something on the
> > host to whitelist the device for the container. Then loop would need to
> > automatically add the device to devices.allow, which doesn't seem
> > desirable to me. But I'm not entirely opposed to the idea if others
> > think this is a better way to go.
>
> I don't see any safe way to avoid it. The host has to be in control of
> what devices can and can not be accessed by the container.
Hmm, for testing I've been giving access to 7:* block devices since my
containers can't mknod and only see device nodes for loop devices they
have access to, but maybe I'm not being sufficiently paranoid.
More information about the lxc-devel
mailing list