[Lxc-users] User space driver

Serge E. Hallyn serge.hallyn at canonical.com
Wed Jun 30 03:29:31 UTC 2010


Quoting Nirmal Guhan (vavatutu at gmail.com):
> On Mon, Jun 28, 2010 at 4:18 PM, Serge E. Hallyn
> <serge.hallyn at canonical.com> wrote:
> > Quoting Nirmal Guhan (vavatutu at gmail.com):
> >> I need to add user space device driver from a container and the driver
> >> is specific to the container (host won't see it). Is it possible to do
> >> so? I hope so but wanted to confirm before I start (and any other
> >> things I should keep in mind).
> >>
> >> Please let me know.
> >>
> >> --Nirmal
> >
> > Forgive my ignorance.
> >
> > Can you point me to an example of how you insert such a driver, and
> > how it interacts with the kernel?
> >
> > I would assume it talks iocts over some device file...  In any case
> > it's certainly doable, but likely not with any pretense of protecting
> > the other containers or the host from that driver.
> >
> > -serge
> 
> I stand corrected. I just want to create my driver the usual way (in
> kernel space) but want to differentiate between the host and container
> accesses. Host accesses to /dev/mydevice may have higher privileges
> than container accesses. Is there a way to differentiate between the
> requestors (host vs container) ?
> 
> --Nirmal

You can start your container with some capabilities dropped from the
capability bounding set.  See lxc.cap.drop in lxc.conf manpage.  That's
probably the best way.

Since your device driver is in the kernel, you can also look at other
properties like current_user_ns(), the pid namespace, etc.

-serge




More information about the lxc-users mailing list