[lxc-devel] set shmmax for container in lxc-execute
Stéphane Graber
stgraber at ubuntu.com
Thu Jul 5 20:26:22 UTC 2012
On 07/05/2012 06:41 AM, J. Xiao wrote:
> Hi,
>
> I am trying to add lxc.shmmax as a configuration option for lxc-execute,
> so the container would have desired shmmax setting.
> I run lxc-execute as a regular user and setuid root. When trying to open
> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission
> denied". I checked that all the capabilities are up in PERMITTED and
> EFFECTIVE set. Does anyone know the reason for not being able to write
> to /proc/sys/kernel/shmmax? I can work around this problem by setting
> the euid to 0 before the open/write, but I would like to understand the
> permission issue.
>
> Thanks.
>
> Jian
Hi Jian,
I've updated the apparmor profile in Ubuntu 12.10 and an update is
pending to Ubuntu 12.04 LTS to implement the same change.
This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
these are tied to the IPC namespace and so are safe to set.
In the mean time, you can manually apply the change to
/etc/apparmor.d/lxc/lxc-default
diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
lxc-0.7.5/debian/lxc-default.apparmor
--- lxc-0.7.5/debian/lxc-default.apparmor 2012-05-24 15:25:38.000000000
+0000
+++ lxc-0.7.5/debian/lxc-default.apparmor 2012-07-05 17:20:00.000000000
+0000
@@ -16,6 +16,9 @@
# allow mqueue mounts everywhere
mount fstype=mqueue,
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
@@ -32,7 +35,8 @@
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
- deny @{PROC}/sys/kernel/** wklx,
+ deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
+ deny @{PROC}/sys/kernel/*/** wklx,
# deny writes in /sys except for /sys/fs/cgroup, also allow
# fusectl, securityfs and debugfs to be mounted there (read-only)
I'm expecting this fix to land within the next two weeks.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20120705/1df7740c/attachment.pgp>
More information about the lxc-devel
mailing list