[Lxc-users] dropping capabilities
Trent W. Buck
twb at cybersource.com.au
Tue Dec 7 10:20:19 UTC 2010
Daniel Lezcano <daniel.lezcano at free.fr> writes:
> I am not sure there is a default set of capabilities to be dropped.
> Certainly some should be dropped like CAP_SYS_MODULE but others will
> depend on what the user expect to do with the container and what scripts
> will be run inside the container.
I was thinking about CAP_SYS_MODULE... it would be useful if
iptables-restore(8) in a container could load modules like
xt_recent.ko... but will it try to load xt_recent.ko from the dom0's
filesystem, or the container's?
If a malicious root user in a container is allowed to modprobe arbitrary
kernel modules, what would likely exploits be? The only one I can think
of offhand is "modprobe kvm" hard-hanging the dom0 on a machine that's
already running OpenVZ and VMware Server 1.x.
Plan B for per-continer firewalls is simply that the domU admin has to
to call the dom0 admin and ask him to add xt_foo to dom0:/etc/modules.
> We have certainly think about the root user inside a container, is it
> secure ? IMO, until the user namespace is not complete, it is not secure.
Is there a roadmap for that (or for "secure" containers in general)?
>> CAP_SYS_TIME
>> should be dropped
>>
> yes and ensure /dev/rtc is read-only and protected with the cgroup
> devices whitelist.
In 0.7.2's lxc-ubuntu template, it has
lxc.cgroup.devices.deny = a
...
lxc.cgroup.devices.allow = c 254:0 rwm
I guess that should be change to this?
lxc.cgroup.devices.deny = a
...
lxc.cgroup.devices.allow = c 254:0 rm
>> CAP_SYS_TTY_CONFIG
>> should be dropped
>>
> I am not sure, won't getty need it ?
FWIW, my gettys don't (Ubuntu 10.04 dom0 and domU, LXC 0.7.2).
More information about the lxc-users
mailing list