[lxc-devel] [lxd/master] Introduce a new security.devlxd key to control visibility of /dev/lxd…

calhorn95 on Github lxc-bot at linuxcontainers.org
Wed Nov 29 03:03:46 UTC 2017 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 371 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171129/3067d9cd/attachment.bin>
-------------- next part --------------
From 117195b96dc78669496ddccb2e36e56a831bad85 Mon Sep 17 00:00:00 2001
From: Chris Loper <chrisloper at utexas.edu>
Date: Tue, 28 Nov 2017 21:00:55 -0600
Subject: [PATCH] Introduce a new security.devlxd key to control visibility of
 /dev/lxd inside the container

Issue: #3997

Signed-off-by: Chris Loper
---
 config/bash/lxd-client |  2 +-
 doc/api-extensions.md  |  7 +++++++
 doc/containers.md      |  1 +
 lxd/container_lxc.go   | 18 ++++++++++++++----
 shared/container.go    |  1 +
 shared/version/api.go  |  1 +
 6 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/config/bash/lxd-client b/config/bash/lxd-client
index 88d55fbae..4c4236578 100644
--- a/config/bash/lxd-client
+++ b/config/bash/lxd-client
@@ -78,7 +78,7 @@ _have lxc && {
       limits.memory.swap limits.memory.swap.priority limits.network.priority \
       limits.processes linux.kernel_modules raw.apparmor raw.idmap raw.lxc \
       raw.seccomp security.idmap.base security.idmap.isolated \
-      security.idmap.size security.nesting security.privileged \
+      security.idmap.size security.devlxd security.nesting security.privileged \
       security.syscalls.blacklist security.syscalls.blacklist_compat \
       security.syscalls.blacklist_default \
       volatile.apply_quota volatile.apply_template volatile.base_image \
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 70b1076c1..fd829070b 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -32,6 +32,13 @@ A number of new syscalls related container configuration keys were introduced.
 
 See [configuration.md](Configuration) for how to use them.
 
+## restrict\_devlxd
+A new security related container configuration key was introduced. 
+
+ * `security.devlxd`
+
+See [configuration.md](Configuration) for how to use them.
+
 ## auth\_pki
 This indicates support for PKI authentication mode.
 
diff --git a/doc/containers.md b/doc/containers.md
index 8d93f1f0a..791b46123 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -50,6 +50,7 @@ security.idmap.isolated              | boolean   | false         | no
 security.idmap.size                  | integer   | -             | no            | id\_map                              | The size of the idmap to use
 security.nesting                     | boolean   | false         | yes           | -                                    | Support running lxd (nested) inside the container
 security.privileged                  | boolean   | false         | no            | -                                    | Runs the container in privileged mode
+security.devlxd                      | boolean   | true          | no            | -                                    | Supports /dev/lxd/ in the container if true
 security.syscalls.blacklist          | string    | -             | no            | container\_syscall\_filtering        | A '\n' separated list of syscalls to blacklist
 security.syscalls.blacklist\_compat  | boolean   | false         | no            | container\_syscall\_filtering        | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
 security.syscalls.blacklist\_default | boolean   | true          | no            | container\_syscall\_filtering        | Enables the default syscall blacklist
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index ea1201cd2..595e583dd 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1054,10 +1054,12 @@ func (c *containerLXC) initLXC(config bool) error {
 	}
 
 	// Setup devlxd
-	err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s dev/lxd none bind,create=dir 0 0", shared.VarPath("devlxd")))
-	if err != nil {
-		return err
-	}
+	if c.IsDevLxd() {
+		err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s dev/lxd none bind,create=dir 0 0", shared.VarPath("devlxd")))
+		if err != nil {
+			return err
+		}
+	} 
 
 	// Setup AppArmor
 	if c.state.OS.AppArmorAvailable {
@@ -7126,6 +7128,14 @@ func (c *containerLXC) IsPrivileged() bool {
 	return shared.IsTrue(c.expandedConfig["security.privileged"])
 }
 
+func (c *containerLXC) IsDevLxd() bool {
+	if (c.expandedConfig["security.devlxd"] == "") {
+		return true
+	} else {
+		return shared.IsTrue(c.expandedConfig["security.devlxd"])
+	}
+}
+
 func (c *containerLXC) IsRunning() bool {
 	state := c.State()
 	return state != "BROKEN" && state != "STOPPED"
diff --git a/shared/container.go b/shared/container.go
index 9b78c377d..6306920ba 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -169,6 +169,7 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
 
 	"security.nesting":    IsBool,
 	"security.privileged": IsBool,
+	"security.devlxd":     IsBool,
 
 	"security.idmap.base":     IsUint32,
 	"security.idmap.isolated": IsBool,
diff --git a/shared/version/api.go b/shared/version/api.go
index 13ddbb7b0..ed5ce80ff 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -80,4 +80,5 @@ var APIExtensions = []string{
 	"macaroon_authentication",
 	"network_sriov",
 	"console",
+	"restrict_devlxd",
 }

More information about the lxc-devel mailing list