[lxc-devel] [PATCH] Add a nesting.conf which can be included to support nesting containers (v2)
Stéphane Graber
stgraber at ubuntu.com
Mon Sep 21 15:34:13 UTC 2015
On Thu, Sep 03, 2015 at 08:24:06PM +0000, Serge Hallyn wrote:
> Newer kernels have added a new restriction: if /proc or /sys on the
> host has files or non-empty directories which are over-mounted, and
> there is no /proc which fully visible, then it assumes there is a
> "security" reason for this. It prevents anyone in a non-initial user
> namespace from creating a new proc or sysfs mount.
>
> To work around this, this patch adds a new 'nesting.conf' which can be
> lxc.include'd from a container configuration file. It adds a
> non-overmounted mount of /proc and /sys under /dev/.lxc, so that the
> kernel can see that we're not trying to *hide* things like /proc/uptime.
> and /sys/devices/virtual/net. If the host adds this to the config file
> for container w1, then container w1 will support unprivileged child
> containers.
>
> The nesting.conf file also sets the apparmor profile to the with-nesting
> variant, since that is required anyway. This actually means that
> supporting nesting isn't really more work than it used to be, just
> different. Instead of adding
>
> lxc.aa_profile = lxc-container-default-with-nesting
>
> you now just need to
>
> lxc.include = /usr/share/lxc/config/nesting.conf
>
> (Look, fewer characters :)
>
> Finally, in order to maintain the current apparmor protections on
> proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable.
> We don't need to be able to use them, we're just showing the
> kernel what's what.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> config/apparmor/profiles/lxc-default-with-nesting | 2 ++
> config/templates/Makefile.am | 1 +
> config/templates/nesting.conf.in | 8 ++++++++
> configure.ac | 1 +
> 4 files changed, 12 insertions(+)
> create mode 100644 config/templates/nesting.conf.in
>
> diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
> index 91ad6de..66aa5fd 100644
> --- a/config/apparmor/profiles/lxc-default-with-nesting
> +++ b/config/apparmor/profiles/lxc-default-with-nesting
> @@ -8,6 +8,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
> # Uncomment the line below if you are not using cgmanager
> # mount fstype=cgroup -> /sys/fs/cgroup/**,
>
> + deny /dev/.lxc/proc/** rw,
> + deny /dev/.lxc/sys/** rw,
> mount fstype=proc -> /var/cache/lxc/**,
> mount fstype=sysfs -> /var/cache/lxc/**,
> mount options=(rw,bind),
> diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
> index 329f919..e587899 100644
> --- a/config/templates/Makefile.am
> +++ b/config/templates/Makefile.am
> @@ -18,6 +18,7 @@ templatesconfig_DATA = \
> gentoo.common.conf \
> gentoo.moresecure.conf \
> gentoo.userns.conf \
> + nesting.conf \
> opensuse.common.conf \
> opensuse.userns.conf \
> oracle.common.conf \
> diff --git a/config/templates/nesting.conf.in b/config/templates/nesting.conf.in
> new file mode 100644
> index 0000000..b712ef6
> --- /dev/null
> +++ b/config/templates/nesting.conf.in
> @@ -0,0 +1,8 @@
> +# Use a profile which allows nesting
> +lxc.aa_profile = lxc-container-default-with-nesting
> +
> +# Add uncovered mounts of proc and sys, else unprivileged users
> +# cannot remount those
> +
> +lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
> +lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0
> diff --git a/configure.ac b/configure.ac
> index 5e9538e..4bad326 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -647,6 +647,7 @@ AC_CONFIG_FILES([
> config/templates/gentoo.common.conf
> config/templates/gentoo.moresecure.conf
> config/templates/gentoo.userns.conf
> + config/templates/nesting.conf
> config/templates/opensuse.common.conf
> config/templates/opensuse.userns.conf
> config/templates/oracle.common.conf
> --
> 2.5.0
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150921/cc2f13a3/attachment.sig>
More information about the lxc-devel
mailing list