[Lxc-users] [PATCH] Re: read only rootfs

Tue Jul 19 11:33:39 UTC 2011

Quoting Michael H. Warfield (mhw at WittsEnd.com):
> On Mon, 2011-07-18 at 07:31 -0500, Serge E. Hallyn wrote: 
> > Quoting Michael H. Warfield (mhw at WittsEnd.com):
> > > Unfortunately, I also still find that if there's a -o remount,ro in the
> > > halt/reboot script, it still sets /dev/pts to ro and that still
> > > propagates to the host and to the other containers triggering random
> > 
> > Wow.
> > 
> > Did a quick grep;  is there any reason why lxc-start doesn't turn on
> > MS_SLAVE for the client's root?  Something like:
> > 
> > From 7fbc3ec940403605c53b253d8630c3f47fad154c Mon Sep 17 00:00:00 2001
> > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > Date: Mon, 18 Jul 2011 07:29:57 -0500
> > Subject: [PATCH 1/1] (untested) turn container rootfs into MS_SLAVE
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/conf.c |    5 +++++
> >  1 files changed, 5 insertions(+), 0 deletions(-)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 2eb598b..d36fe47 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -732,6 +732,11 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
> >  		return -1;
> >  	}
> >  
> > +	if (mount(rootfs->path, rootfs->path, "none", MS_SLAVE, 0)) {
> > +		ERROR("failed to turn child rootfs into slave");
> > +		return -1;
> > +	}
> > +
> >  	DEBUG("mounted '%s' on '%s'", rootfs->path, rootfs->mount);
> >  
> >  	return 0;
> > -- 
> > 1.7.4.1
> 
> > > The kernel should also prohibit, totally, the propagation of remount
> 
> > The kernel doesn't know about containers, so it's up to userspace :)
> 
> Acceptable and that's reasonable.  But, for security and integrity
> reasons, it has to be the host / parent user space not the guest / child
> user space which can make that decision.  And it has to be the default.
> Anything less is a security vulnerability.

Right, which is why lxc, not the container, has to do it.

-serge