[lxc-devel] security of mounting sysfs in LXC container?

Stéphane Graber stgraber at ubuntu.com
Tue May 15 17:00:21 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 05/15/2012 11:45 AM, steve at linuxsuite.org wrote:
>> Le mardi 15 mai 2012 Ã  10:34 -0400, steve at linuxsuite.org a
>> écrit :
>>> Howdy!
>>> 
>>> On debian squeeze with LXC version 0.7.2 , I can mount sysfs
>>> in the container..
>>> 
>>> Isn't this a serious security issue? IE. messing with files in
>>> /sys/ as root in a container.
>>> 
>>> Or is sysfs protected somehow in LXC container? Is there a 
>>> workaround? Or is this issue on the TODO list? Or is this
>>> changed in later versions??
>> 
>> I don't think it is really possible to protect it, unless you
>> mount it read-only and drops mount capabilities (which means
>> dropping cap_sys_admin, which has probably a lot of other
>> drawbacks). Or you need to use some other tricks like SELinux /
>> Apparmor / ...
> 
> There are lots of scenarios where the ability to mount sysfs in a
> container is not needed, and/or for security reasons is just a bad
> idea.
> 
> Isn't it possible to add simple check to prevent mounting sysfs in
> a container, and this feature could be configurable either on a
> container by container basis or for all containers? Otherwise
> getting root in a container allows for possible trashing of entire
> host by messing with files in /sysfs??
> 
> This issue is important, and will limit use of LXC in important 
> production situations. Other container solutions do not allow for
> mounting sysfs in container, example Linux-Vserver
> 
> thoughts? If simple enough and with adequate guidance I may be able
> to implement this if it is not on the TODO, and is technically 
> feasible? But I suppose if it was simple and feasible it would
> already be done. Or perhaps understandably there are other
> priorities? or conficts with other parts of the system or.. perhaps
> better to impliment this through other means like SELinux (trivial
> or difficult??)
> 
> thanx - steve

There's currently no easy way for LXC itself to prevent mounting a
single filesystem. The easiest way to do this is by using
apparmor/selinux which Ubuntu 12.04 LTS does by default (you can only
write to a limited subset of /sys that we know is safe).

Blocking /sys entirely isn't the right option either as you'll
actually need to have access to some of it with recent distributions,
at least for some subset of /sys/fs.

/sys isn't the only risky filesystem in a container at the moment,
/proc in most distros contains /proc/sysrq-trigger which lets a
container reboot or shutdown the host and for this one you don't quite
have the option not to mount it.

The real solution to the problem, as stated by Serge is to use the
user namespaces which we hope will land in the upstream kernel very soon.
Until then, we can't consider LXC to be root safe and we can only
mitigate the issue by using apparmor or selinux (we can't know for a
fact that we didn't miss something in the profile, so can't assume it
to be safe).

- -- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJPsoulAAoJEMY4l01keS1nnuAQALBL6Ss06OYATxTuAH/fp4RA
0zRAQ1aabMdzlC6b+G4NJuvJy3IJJkmuzcxERkBQ3My32dYde3SP4cP6vnx6Qhdu
epZx+W6lrdRaNuShQYFYp1+mwViGFqUmkqWnofqOPFhsHjNRsoPPN7hx6CTm4Tme
7oQ3kQCJeU902+doHLWbt0SzpxSIcVSZqEqLh8rSosV0ZtEseoE6jUFfvsMRLj86
1zTevENuWyeSxCB3jPOp7edM09iAKmzpev7OVx/L/C5OQJszcycOLc4VgFgOvJZ1
ABOqupPSkWBVz9/uY23K81xuJskRqUWW5UPn+1rPJNNnli5QZ2tYTceI1LnCwIt9
3aGcPqtzTbe8XbwWwNNflYCT3jvctFiac4rp0DPDozJFumyUDCCcqAdSamgDMy1B
j+vQEumUNXVODcdkDITwGoCWi50rETHzIMq5jnWWvwq3r0DOJDDcNa+RXGhyhwge
RKNaQ8ZboPRlCndtQG4bUJ1do1CFZNp4jlu4hKshF0syjyK0Pe1Znh1puYyOAG90
9tmiegm3dhtZw1MM+xIpIpcdk7/s4aCCyDaCw+otNa9yU7Y38Qwi4Qwy73xn/AtN
uvGFI1QxfgqlZmqB1EbsBWuVZPtojjKL/4IKRNdyzheG9dlBydD+s0vTsmjuzWGH
LGUv+bJisoCSuBNGnkOp
=YDVX
-----END PGP SIGNATURE-----




More information about the lxc-devel mailing list