[lxc-devel] bugs with LXC container : mount and rmmod command

Daniel Lezcano daniel.lezcano at free.fr
Thu Mar 4 19:22:50 UTC 2010 

Elias Olivares wrote:
> Hi ! 
> 
> I've tried to reproduce this bug on 0.6.5 lxc release and the same bug appears when i run the umount command or rmmod command. 
> 
> To reproduce the bug : 
> 
> Host name : debian 
> Guest container name : container 
> 
> You MUST create a dedicated partition to share your containers (an other partition than " / ") 
> 
> debian:# df 
> 
> /dev/hda1 7850996 2058732 5393452 28% / 
> tmpfs 253768 0 253768 0% /lib/init/rw 
> udev 10240 108 10132 2% /dev 
> tmpfs 253768 0 253768 0% /dev/shm 
> /dev/hdb1 4127076 552552 3364880 15% /mnt/vmr1 
> 
> Then enter into the container (lxc-console -n container) and stop cron, syslog, bind 9,ssh processes. 
> 
> container:~# ps aux 
> 
> USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 
> root 1 0.0 0.1 1984 692 ? Ss 11:10 0:00 init [2] 
> root 387 0.0 0.4 5884 2272 console Ss 11:10 0:00 /bin/login -- 
> root 388 0.0 0.1 1992 572 tty1 Ss+ 11:10 0:00 /sbin/getty 38400 tty1 
> root 389 0.0 0.1 1992 568 tty2 Ss+ 11:10 0:00 /sbin/getty 38400 tty2 
> root 390 0.0 0.1 1992 568 tty3 Ss+ 11:10 0:00 /sbin/getty 38400 tty3 
> root 392 0.0 0.5 4132 2680 console S 11:11 0:00 -bash 
> root 584 0.0 0.1 2644 956 console R+ 11:43 0:00 ps aux 
> 
> Then use the mount command : 
> 
> container:~# mount -o remount,ro / 
> 
> Return to the Host and try to create a file in /mnt/vmr1/ . The folder is set in "read only". 

For this one, I don't know if it's a kernel bug or a lxc bug. To be 
investigated ...


> The second bug : 
> 
> Install ntfs module in the host : (exemple with ntfs module) 
> 
> debian:# modprobe ntfs 
> 
> Enter into the container and delete ntfs module 
> 
> container:~# rmmod ntfs 
> 
> Return to the host : the module has been removed 
>
> Does anyone have solved this problem ? 
> 
> I think it is a major security problem. 

You have to drop the sys_module capability for the container. That is 
done by adding in the container configuration file:

lxc.cap.drop = sys_module

If you want to drop more capabilities, you can refer to the capabilities 
(7) man page. If you want to drop for example CAP_SYS_TIME, add 
lxc.cap.drop = sys_time

Thanks
   -- Daniel

More information about the lxc-devel mailing list