[lxc-devel] set shmmax for container in lxc-execute

Stéphane Graber stgraber at ubuntu.com
Thu Jul 5 20:26:22 UTC 2012


On 07/05/2012 06:41 AM, J. Xiao wrote:
> Hi,
> 
> I am trying to add lxc.shmmax as a configuration option for lxc-execute, 
> so the container would have desired shmmax setting.
> I run lxc-execute as a regular user and setuid root. When trying to open 
> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission 
> denied". I checked that all the capabilities are up in PERMITTED and 
> EFFECTIVE set. Does anyone know the reason for not being able to write 
> to /proc/sys/kernel/shmmax? I can work around this problem by setting 
> the euid to 0 before the open/write, but I would like to understand the 
> permission issue.
> 
> Thanks.
> 
> Jian

Hi Jian,

I've updated the apparmor profile in Ubuntu 12.10 and an update is
pending to Ubuntu 12.04 LTS to implement the same change.

This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
these are tied to the IPC namespace and so are safe to set.

In the mean time, you can manually apply the change to
/etc/apparmor.d/lxc/lxc-default

diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
lxc-0.7.5/debian/lxc-default.apparmor
--- lxc-0.7.5/debian/lxc-default.apparmor	2012-05-24 15:25:38.000000000
+0000
+++ lxc-0.7.5/debian/lxc-default.apparmor	2012-07-05 17:20:00.000000000
+0000
@@ -16,6 +16,9 @@
   # allow mqueue mounts everywhere
   mount fstype=mqueue,

+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
   # the container may never be allowed to mount devpts.  If it does, it
   # will remount the host's devpts.  We could allow it to do it with
   # the newinstance option (but, right now, we don't).
@@ -32,7 +35,8 @@
   deny @{PROC}/sysrq-trigger rwklx,
   deny @{PROC}/mem rwklx,
   deny @{PROC}/kmem rwklx,
-  deny @{PROC}/sys/kernel/** wklx,
+  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+  deny @{PROC}/sys/kernel/*/** wklx,

   # deny writes in /sys except for /sys/fs/cgroup, also allow
   # fusectl, securityfs and debugfs to be mounted there (read-only)

I'm expecting this fix to land within the next two weeks.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20120705/1df7740c/attachment.pgp>


More information about the lxc-devel mailing list