[lxc-devel] question about /sys/fs/cgroup/cgmanager
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Nov 6 20:07:55 UTC 2015
Quoting Dietmar Maurer (dietmar at proxmox.com):
> seems directory /sys/fs/cgroup/cgmanager is directly mounted from host, so any
> container
> can simply remove the cgmanager socket on the host from inside the container:
>
> # rm /sys/fs/cgroup/cgmanager/sock
>
> I guess this should not be possible?
It's not possible from a user-namespaced container. For a container where root
is root, the only thing I can think of that would prevent this is selinux, maybe
smack. Sadly there is no way with apparmor to say "you may not delete /a/b
but you may write to /a/b".
The reason we did it this way instead of just binding in the sock itself is
because if cgmanager restarts, this allows all containers to continue and
just pick up the new socket. Binding in the socket itself would make
umount+rm in the container innocuous, but a cgmanager restart would be
problematic in the container.
More information about the lxc-devel
mailing list