[lxc-devel] Patch/RFC: allow pivot_root, unmount old fs

Daniel Lezcano dlezcano at fr.ibm.com
Tue Jan 5 20:35:04 UTC 2010


Michael Holzt wrote:
> Hello everyone,
> 
> i've written another (experimental) patch and would like comments on it.
> 
> lxc currently does a chroot into the target rootfs. chroot is insecure and
> can easily be broken, as demonstrated here:
> 
> | root at synergy:~# touch /this_is_the_realrootfs_ouch
> | # touch /container/webhost/this_is_the_container
> | # lxc-start -n webhost /bin/sh
> | # ls this*
> | this_is_the_container
> | # ./breakchroot
> | # ls this*
> | this_is_the_realrootfs_ouch
> 
> code to break chroot taken from
> http://www.bpfh.net/simes/computing/chroot-break.html

He ! :)

> Now this can be fixed. As our container has his own mount namespace, we can
> easily pivot_root into the rootfs and then unmount all old mounts. The patch
> attached add a new config keyword which contains the path to a temporary
> mount for the old rootfs (inside the container). This stops the chroot break
> method shown before. 

Umounting everything in the container may break the ro-bind mount of 
some different configuration scheme, we have to look how to deal with 
that. Otherwise +1 for the pivot_root.

> Example:
> 
> | root at synergy:~# grep pivotdir /var/lib/lxc/webhost/config
> | lxc.pivotdir = /oldrootfs
> | root at synergy:~# ls -lad /container/webhost/oldrootfs
> | drwxr-xr-x 2 root root 4096 2010-01-02 03:59 /container/webhost/oldrootfs
> | root at synergy:~# lxc-start -n webhost /bin/sh
> | # mount -t proc proc /proc
> | # cat /proc/mounts
> | rootfs / rootfs rw 0 0
> | /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
> | devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
> | proc /proc proc rw,relatime 0 0
> | # ls this*   
> | this_is_the_container
> | # ./breakchroot
> | # ls this*
> | this_is_the_container
> 
> The patch is somewhat ugly for now, but i think this feature is very
> usefull and this approach should be implemented.
> 
> Please try and comment!

Will do :)

   -- Daniel




More information about the lxc-devel mailing list