[lxc-devel] User namespaces

Fri Feb 22 20:07:06 UTC 2013

I finally got around to testing out user namespaces. Very nice to to
have container root not be kuid 0! One thing that I noticed was that
mingetty in the container was failing because the call to vhangup(2)
failed (and thus no lxc-console). I could patch the container to start
mingetty with --nohangup, but that feels like a workaround and
wouldn't be good when the terminal got reused in the container. Instead
I patched my kernel with:

diff --git a/fs/open.c b/fs/open.c
index 9b33c0c..7c54d1d7 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -1059,7 +1059,7 @@ EXPORT_SYMBOL(sys_close);
  */
 SYSCALL_DEFINE0(vhangup)
 {
-	if (capable(CAP_SYS_TTY_CONFIG)) {
+	if (ns_capable(current_user_ns(), CAP_SYS_TTY_CONFIG)) {
 		tty_vhangup_self();
 		return 0;
 	}

This lets mingetty work, but I'm not so sure it safe to allow a
CAP_SYS_TTY_CONFIG capable process in the namespace hangup whatever
terminal it might be able to open and get to be its controlling
terminal. I guess the terminal would have to be open()able or
TIOCSCTTY'able in the container, but is that enough protection?
Thoughts?


