[lxc-devel] set shmmax for container in lxc-execute

J. Xiao jian at linux.vnet.ibm.com
Thu Jul 5 20:41:11 UTC 2012 

Thanks Stephane for your answer.

However, I am running on RedHat, is there a similar file on RedHat I can 
check?

On 7/5/2012 4:26 PM, Stéphane Graber wrote:
> On 07/05/2012 06:41 AM, J. Xiao wrote:
>> Hi,
>>
>> I am trying to add lxc.shmmax as a configuration option for lxc-execute,
>> so the container would have desired shmmax setting.
>> I run lxc-execute as a regular user and setuid root. When trying to open
>> /proc/sys/kernel/shmmax for write in lxc_setup(), I got "permission
>> denied". I checked that all the capabilities are up in PERMITTED and
>> EFFECTIVE set. Does anyone know the reason for not being able to write
>> to /proc/sys/kernel/shmmax? I can work around this problem by setting
>> the euid to 0 before the open/write, but I would like to understand the
>> permission issue.
>>
>> Thanks.
>>
>> Jian
>
> Hi Jian,
>
> I've updated the apparmor profile in Ubuntu 12.10 and an update is
> pending to Ubuntu 12.04 LTS to implement the same change.
>
> This change whitelists /proc/sys/kernel/shm* in the apparmor profile as
> these are tied to the IPC namespace and so are safe to set.
>
> In the mean time, you can manually apply the change to
> /etc/apparmor.d/lxc/lxc-default
>
> diff -Nru lxc-0.7.5/debian/lxc-default.apparmor
> lxc-0.7.5/debian/lxc-default.apparmor
> --- lxc-0.7.5/debian/lxc-default.apparmor	2012-05-24 15:25:38.000000000
> +0000
> +++ lxc-0.7.5/debian/lxc-default.apparmor	2012-07-05 17:20:00.000000000
> +0000
> @@ -16,6 +16,9 @@
>     # allow mqueue mounts everywhere
>     mount fstype=mqueue,
>
> +  # allow fuse mounts everywhere
> +  mount fstype=fuse.*,
> +
>     # the container may never be allowed to mount devpts.  If it does, it
>     # will remount the host's devpts.  We could allow it to do it with
>     # the newinstance option (but, right now, we don't).
> @@ -32,7 +35,8 @@
>     deny @{PROC}/sysrq-trigger rwklx,
>     deny @{PROC}/mem rwklx,
>     deny @{PROC}/kmem rwklx,
> -  deny @{PROC}/sys/kernel/** wklx,
> +  deny @{PROC}/sys/kernel/[^s][^h][^m]* wklx,
> +  deny @{PROC}/sys/kernel/*/** wklx,
>
>     # deny writes in /sys except for /sys/fs/cgroup, also allow
>     # fusectl, securityfs and debugfs to be mounted there (read-only)
>
> I'm expecting this fix to land within the next two weeks.
>

More information about the lxc-devel mailing list