[lxc-devel] [PATCH] lxc-attach: Consider cgroup, personality and capabilities when attaching processes to a container

Daniel Lezcano daniel.lezcano at free.fr
Sun Feb 5 22:48:55 UTC 2012 

On 02/03/2012 01:54 PM, Christian Seiler wrote:
> Hi,
>
> As I didn't hear anything on this issue, I looked at it more closely and
> found found that not only are capabilities currently not dropped from
> withing lxc, but also the personality is not set correctly and the newly
> started process is not put in the correct cgroup (circumventing e.g. device
> restrictions!) when using lxc-attach.
>
> I've now created a set of patches that now make sure that every attached
> process is now
>
>   - in the correct cgroup of the container
>   - has the correct personality set
>   - drops its capabilities
>
> I also added the -f and -s switches to lxc-attach, because it now needs to
> read the same configuration file as lxc-start to determine the capabilities
> and personality. Additionally, lxc-attach now has a -k switch, which will
> inhibit it from dropping the capabilities, so an administrator from the
> outside may use this to reconfigure things in the container which he now may
> not have been able to.
>
> I hope you are agreeable to this improvement being merged.

Hi Christian,

thanks for your patches and your analysis.

IMO, we have to take into account the process we want to attach could be 
an admin task and this one may want to have the full permissions within 
the container. Also that could be an external daemon with the same 
permissions as the container's processes. So inheriting should be 
optional as it is up to the administrator to do the right action.

The parsing of the configuration file is right at the moment the 
container has a configuration file and we did not launched the container 
with the -s lxc.. options, or we did not modify the configuration file 
after the container is launched.

I think it is much more sane to retrieve the needed informations from:

  * /proc/<pid>/status : for the capabilities
  * /proc/<pid>/cgroup
  * /proc/<pid>/personality

Where <pid> is the init pid of the container we can get through 
get_init_pid function.

Thanks
   -- Daniel

More information about the lxc-devel mailing list