[lxc-devel] [lxd/master] add LXD_UNPRIVILEGED_ONLY to disallow privileged containers.
Catramen on Github
lxc-bot at linuxcontainers.org
Thu Apr 19 01:55:44 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 348 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180419/7496e1f8/attachment.bin>
-------------- next part --------------
From 75456a892e63e65819b916c0f1bfee0177a00305 Mon Sep 17 00:00:00 2001
From: Jingkui Wang <wjkcow at umich.edu>
Date: Tue, 17 Apr 2018 19:31:12 -0400
Subject: [PATCH] add LXD_UNPRIVILEGED_ONLY to disallow privileged containers.
Signed-off-by: Jingkui Wang <jkwang at google.com>
---
lxd/container.go | 16 +++++++++++++---
lxd/container_lxc.go | 10 ++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/lxd/container.go b/lxd/container.go
index 6134ffd60..9a390c2d0 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -240,7 +240,7 @@ func containerValidDeviceConfigKey(t, k string) bool {
}
}
-func containerValidConfig(os *sys.OS, config map[string]string, profile bool, expanded bool) error {
+func containerValidConfig(sysOS *sys.OS, config map[string]string, profile bool, expanded bool) error {
if config == nil {
return nil
}
@@ -254,7 +254,7 @@ func containerValidConfig(os *sys.OS, config map[string]string, profile bool, ex
return fmt.Errorf("Image keys can only be set on containers.")
}
- err := containerValidConfigKey(os, k, v)
+ err := containerValidConfigKey(sysOS, k, v)
if err != nil {
return err
}
@@ -274,10 +274,20 @@ func containerValidConfig(os *sys.OS, config map[string]string, profile bool, ex
return fmt.Errorf("security.syscalls.whitelist is mutually exclusive with security.syscalls.blacklist*")
}
- if expanded && (config["security.privileged"] == "" || !shared.IsTrue(config["security.privileged"])) && os.IdmapSet == nil {
+ if expanded && (config["security.privileged"] == "" || !shared.IsTrue(config["security.privileged"])) && sysOS.IdmapSet == nil {
return fmt.Errorf("LXD doesn't have a uid/gid allocation. In this mode, only privileged containers are supported.")
}
+ if os.Getenv("LXD_UNPRIVILEGED_ONLY") == "true" {
+ if config["raw.idmap"] != "" {
+ return fmt.Errorf("Setting raw.idmap is not allowed. Check LXD_UNPRIVILEGED_ONLY.")
+ }
+
+ if shared.IsTrue(config["security.privileged"]) {
+ return fmt.Errorf("LXD_UNPRIVILEGED_ONLY is set, only unprivileged containers are allowed.")
+ }
+ }
+
return nil
}
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index b40eb99f3..4cf986f25 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -207,6 +207,16 @@ func lxcValidConfig(rawLxc string) error {
continue
}
+ if os.Getenv("LXD_UNPRIVILEGED_ONLY") == "true" {
+ if key == "lxc.idmap" || key == "lxc.id_map" {
+ return fmt.Errorf("Setting lxc.idmap is not allowed. Check LXD_UNPRIVILEGED_ONLY.")
+ }
+
+ if key == "lxc.include" {
+ return fmt.Errorf("Setting lxc.include is not allowed. Check LXD_UNPRIVILEGED_ONLY.")
+ }
+ }
+
// Blacklist some keys
if key == "lxc.logfile" || key == "lxc.log.file" {
return fmt.Errorf("Setting lxc.logfile is not allowed")
More information about the lxc-devel
mailing list