[lxc-devel] [PATCH] lxc-attach: Consider cgroup, personality and capabilities when attaching processes to a container
Christian Seiler
christian at iwakd.de
Sun Feb 5 23:20:27 UTC 2012
Hi Daniel,
> thanks for your patches and your analysis.
>
> IMO, we have to take into account the process we want to attach could be
> an admin task and this one may want to have the full permissions within
> the container. Also that could be an external daemon with the same
> permissions as the container's processes. So inheriting should be
> optional as it is up to the administrator to do the right action.
Yes, that's why I added the --keep-capabilities option to lxc-attach, to
make it possible for the administrator to execute a process inside the
container with higher permissions.
However, I only included capabilities there; it's true that cgroups may
impose an additional constraint. (Especially the device cgroup
controller.) On the other hand, the personality (which in LXC context
essentially means the architecture such as x86-64 vs. x86-32) is not
something I see as a "permission", but rather as a general property of
the container.
So the approach would then be:
- default behaviour: use same restrictions as container
- command line flag that allows one to ignore cgroups and capabilities
- command line option to choose any architecture that's supported by
the current running kernel (defaults to the arch of the container)
I do strongly think the default behaviour should be to use the same
restrictions as the container, as I see that to be the primary use case,
take for example
lxc-attach -n container -- /etc/init.d/sshd restart
This could easily leak privileges - the admin should explicitly state
that he/she wants to use elevated privileges if required.
> The parsing of the configuration file is right at the moment the
> container has a configuration file and we did not launched the container
> with the -s lxc.. options, or we did not modify the configuration file
> after the container is launched.
>
> I think it is much more sane to retrieve the needed informations from:
>
> * /proc/<pid>/status : for the capabilities
> * /proc/<pid>/cgroup
> * /proc/<pid>/personality
>
> Where <pid> is the init pid of the container we can get through
> get_init_pid function.
Yes, that seems like a reasonable approach. I'd rework the patches as
follows:
No flags: container's privileges according to /proc
-e/--elevated-privileges: maximum privileges (cgroup, capabilities)
-a x86/--arch=x86: manually specify the architecture
(default to container's arch)
Is that agreeable?
Regards,
Christian
More information about the lxc-devel
mailing list