[lxc-devel] [lxd/master] Introduce a new security.devlxd key to control visibility of /dev/lxd…
calhorn95 on Github
lxc-bot at linuxcontainers.org
Wed Nov 29 03:03:46 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 371 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171129/3067d9cd/attachment.bin>
-------------- next part --------------
From 117195b96dc78669496ddccb2e36e56a831bad85 Mon Sep 17 00:00:00 2001
From: Chris Loper <chrisloper at utexas.edu>
Date: Tue, 28 Nov 2017 21:00:55 -0600
Subject: [PATCH] Introduce a new security.devlxd key to control visibility of
/dev/lxd inside the container
Issue: #3997
Signed-off-by: Chris Loper
---
config/bash/lxd-client | 2 +-
doc/api-extensions.md | 7 +++++++
doc/containers.md | 1 +
lxd/container_lxc.go | 18 ++++++++++++++----
shared/container.go | 1 +
shared/version/api.go | 1 +
6 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/config/bash/lxd-client b/config/bash/lxd-client
index 88d55fbae..4c4236578 100644
--- a/config/bash/lxd-client
+++ b/config/bash/lxd-client
@@ -78,7 +78,7 @@ _have lxc && {
limits.memory.swap limits.memory.swap.priority limits.network.priority \
limits.processes linux.kernel_modules raw.apparmor raw.idmap raw.lxc \
raw.seccomp security.idmap.base security.idmap.isolated \
- security.idmap.size security.nesting security.privileged \
+ security.idmap.size security.devlxd security.nesting security.privileged \
security.syscalls.blacklist security.syscalls.blacklist_compat \
security.syscalls.blacklist_default \
volatile.apply_quota volatile.apply_template volatile.base_image \
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 70b1076c1..fd829070b 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -32,6 +32,13 @@ A number of new syscalls related container configuration keys were introduced.
See [configuration.md](Configuration) for how to use them.
+## restrict\_devlxd
+A new security related container configuration key was introduced.
+
+ * `security.devlxd`
+
+See [configuration.md](Configuration) for how to use them.
+
## auth\_pki
This indicates support for PKI authentication mode.
diff --git a/doc/containers.md b/doc/containers.md
index 8d93f1f0a..791b46123 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -50,6 +50,7 @@ security.idmap.isolated | boolean | false | no
security.idmap.size | integer | - | no | id\_map | The size of the idmap to use
security.nesting | boolean | false | yes | - | Support running lxd (nested) inside the container
security.privileged | boolean | false | no | - | Runs the container in privileged mode
+security.devlxd | boolean | true | no | - | Supports /dev/lxd/ in the container if true
security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist
security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
security.syscalls.blacklist\_default | boolean | true | no | container\_syscall\_filtering | Enables the default syscall blacklist
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index ea1201cd2..595e583dd 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1054,10 +1054,12 @@ func (c *containerLXC) initLXC(config bool) error {
}
// Setup devlxd
- err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s dev/lxd none bind,create=dir 0 0", shared.VarPath("devlxd")))
- if err != nil {
- return err
- }
+ if c.IsDevLxd() {
+ err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s dev/lxd none bind,create=dir 0 0", shared.VarPath("devlxd")))
+ if err != nil {
+ return err
+ }
+ }
// Setup AppArmor
if c.state.OS.AppArmorAvailable {
@@ -7126,6 +7128,14 @@ func (c *containerLXC) IsPrivileged() bool {
return shared.IsTrue(c.expandedConfig["security.privileged"])
}
+func (c *containerLXC) IsDevLxd() bool {
+ if (c.expandedConfig["security.devlxd"] == "") {
+ return true
+ } else {
+ return shared.IsTrue(c.expandedConfig["security.devlxd"])
+ }
+}
+
func (c *containerLXC) IsRunning() bool {
state := c.State()
return state != "BROKEN" && state != "STOPPED"
diff --git a/shared/container.go b/shared/container.go
index 9b78c377d..6306920ba 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -169,6 +169,7 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
"security.nesting": IsBool,
"security.privileged": IsBool,
+ "security.devlxd": IsBool,
"security.idmap.base": IsUint32,
"security.idmap.isolated": IsBool,
diff --git a/shared/version/api.go b/shared/version/api.go
index 13ddbb7b0..ed5ce80ff 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -80,4 +80,5 @@ var APIExtensions = []string{
"macaroon_authentication",
"network_sriov",
"console",
+ "restrict_devlxd",
}
More information about the lxc-devel
mailing list