[Lxc-users] sandbox config file
Serge Hallyn
serge.hallyn at canonical.com
Mon Jan 28 22:08:00 UTC 2013
Quoting pablo platt (pablo.platt at gmail.com):
> Hi,
>
> Is there an example for a config file needed to create a sandbox?
> I'm using ubuntu 12.04 (can use any other version if required).
> I need to execute untrusted code inside a sandbox with lxc-execute.
>
> libvirt-sandbox seems to be what I need but it's not available in ubuntu
> and doesn't support limiting ram and cpu.
> https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/
>
> Is there an equivalent in lxc tools?
> Is there a plan for something like a lxc-sandbox command?
>
> Basically I want to disable everything and allow only the minimum to
> compile and execute simple scripts.
>
> I've started with the following config file but I don't know what else need
> to be prevented or changed to protect the host.
> Does anyone have a config file he can share?
>
> Thanks
>
> lxc.network.type = empty
> lxc.cgroup.cpu.shares = 1234
> lxc.cgroup.memory.limit_in_bytes = 10M
> lxc.cgroup.memory.memsw.limit_in_bytes = 20M
> lxc.cgroup.devices.deny = a
> lxc.cap.drop = audit_control audit_write chown dac_override
> dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
> mac_admin mac_override mknod net_admin net_bind_service net_broadcast
> net_raw setgid setfcap setpcap setuid sys_boot sys_chroot sys_module
> sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config
> #lxc.cap.drop = sys_admin syslog
You could also use a custom aa_profile and (if you move from precise to
quantal) add a tight seccomp profile.
There is no lxc-sandbox tool right now (at least in the main source, or
elsewhere that I know of). arkose might do what you want, not sure.
But if you're willing to write it, an lxc-sandbox command would be a
nice addition to lxc-execute IMO.
-serge
More information about the lxc-users
mailing list