[Lxc-users] sandbox config file

pablo platt pablo.platt at gmail.com
Mon Jan 28 22:34:56 UTC 2013


I'll be happy to be the driving force but I need info from experts.

Let's say the command will look like this:
lxc-sandbox -n mybox /bin/bash
Do you think that lxc-sandbox can use an API similar to libvirt-sandbox?
http://rpm.pbone.net/index.php3/stat/45/idpl/19820275/numer/1/nazwa/virt-sandbox

Will lxc-sandbox need to call lxc-execute with a predefined secure config?
Will it need to use seccomp, apparmor, selinux or something else?

On Tue, Jan 29, 2013 at 12:08 AM, Serge Hallyn
<serge.hallyn at canonical.com>wrote:

> Quoting pablo platt (pablo.platt at gmail.com):
> > Hi,
> >
> > Is there an example for a config file needed to create a sandbox?
> > I'm using ubuntu 12.04 (can use any other version if required).
> > I need to execute untrusted code inside a sandbox with lxc-execute.
> >
> > libvirt-sandbox seems to be what I need but it's not available in ubuntu
> > and doesn't support limiting ram and cpu.
> >
> https://www.berrange.com/posts/2012/01/17/building-application-sandboxes-with-libvirt-lxc-kvm/
> >
> > Is there an equivalent in lxc tools?
> > Is there a plan for something like a lxc-sandbox command?
> >
> > Basically I want to disable everything and allow only the minimum to
> > compile and execute simple scripts.
> >
> > I've started with the following config file but I don't know what else
> need
> > to be prevented or changed to protect the host.
> > Does anyone have a config file he can share?
> >
> > Thanks
> >
> > lxc.network.type = empty
> > lxc.cgroup.cpu.shares = 1234
> > lxc.cgroup.memory.limit_in_bytes = 10M
> > lxc.cgroup.memory.memsw.limit_in_bytes = 20M
> > lxc.cgroup.devices.deny = a
> > lxc.cap.drop = audit_control audit_write chown  dac_override
> > dac_read_search fowner fsetid ipc_lock ipc_owner kill lease
> linux_immutable
> > mac_admin mac_override mknod net_admin net_bind_service net_broadcast
> > net_raw setgid setfcap setpcap setuid  sys_boot sys_chroot sys_module
> > sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time
> sys_tty_config
> > #lxc.cap.drop = sys_admin syslog
>
> You could also use a custom aa_profile and (if you move from precise to
> quantal) add a tight seccomp profile.
>
> There is no lxc-sandbox tool right now (at least in the main source, or
> elsewhere that I know of).  arkose might do what you want, not sure.
> But if you're willing to write it, an lxc-sandbox command would be a
> nice addition to lxc-execute IMO.
>
> -serge
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20130129/c0c2dab3/attachment.html>


More information about the lxc-users mailing list