[lxc-users] Fwd: Security consequences of lxc.id_map not mapping a specific uid and gid

Christian Brauner christianvanbrauner at gmail.com
Thu Dec 11 08:10:52 UTC 2014 

Hello,

I run unprivileged containers and I want them to have access to video and
sound devices. Hence, I  the following in my ~/.config/lxc/default.conf as
suggested on Stéphane's blog:

    # Container specific configuration
    lxc.id_map = u 1001 101001 64535
    lxc.id_map = g 1001 101001 64535
    # uid and gid 1000 isn’t translated so that the container can access the
    # X socket and dri and snd and video0 devices
    lxc.id_map = u 0 100000 1000
    lxc.id_map = g 0 100000 1000
    lxc.id_map = u 1000 1000 1
    lxc.id_map = g 1000 1000 1

I was wondering compared to an unprivileged container where I simply
map:

    lxc.id_map=u 0 100000 65536
    lxc.id_map=g 0 100000 65536

1) Am I significantly more vulnerable when I preserve the uid/gid of my
unprivileged user on the host for my user in the container?

2) And is there a different solution which would allow me to grant
access to the sound and video devices in /dev/snd and /dev/dri to the
user in my unprivileged container while still preserving the standard
mapping:

    lxc.id_map=u 0 100000 65536
    lxc.id_map=g 0 100000 65536

3) During container bootup of e.g. Debian Wheezy/Stable is constantly
complaining in the following manner (log output below) and I would like to
now if this can be avoided:



INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Cleaning up temporary files... /tmp.
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Mount point '/dev/full' does not exist. Skipping mount. ... (warning).
Mount point '/dev/null' does not exist. Skipping mount. ... (warning).
Mount point '/dev/random' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty' does not exist. Skipping mount. ... (warning).
Mount point '/dev/urandom' does not exist. Skipping mount. ... (warning).
Mount point '/dev/zero' does not exist. Skipping mount. ... (warning).
Mount point '/dev/video0' does not exist. Skipping mount. ... (warning).
Mount point '/dev/fb0' does not exist. Skipping mount. ... (warning).
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty1' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty2' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty3' does not exist. Skipping mount. ... (warning).
Mount point '/dev/tty4' does not exist. Skipping mount. ... (warning).
udev requires hotplug support, not started ... failed!
 failed!
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux 2.20.1
done.
Mounting local filesystems...done.
/etc/init.d/mountall.sh: 59: kill: Illegal number: 4 1
Activating swapfile swap...done.
Cleaning up temporary files....
Setting kernel variables ...done.
Configuring network interfaces...done.
Cleaning up temporary files....
Setting up ALSA...Invalid card number.
Usage: amixer <options> [command]
Available options:
  -h,--help       this help
  -c,--card N     select the card
  -D,--device N   select the device, default 'default'
  -d,--debug      debug mode
  -n,--nocheck    do not perform range checking
  -v,--version    print version of this program
  -q,--quiet      be quiet
  -i,--inactive   show also inactive controls
  -a,--abstract L select abstraction level (none or basic)
  -s,--stdin      Read and execute commands from stdin sequentially
Available commands:
  scontrols       show all mixer simple controls
  scontents  show contents of all mixer simple controls (default command)
  sset sID P      set contents for one mixer simple control
  sget sID        get contents for one mixer simple control
  controls        show all controls for given card
  contents        show contents of all controls for given card
  cset cID P      set control contents for one control
  cget cID        get control contents for one control


Best,
Christian

System Information:

Arch Linux with user namespace supported kernel.
lxc 1.0.7

this script:

cgroups are created with printf '\n\033[42mCreating cgroup
hierarchy\033[m\n\n' &&
for d in /sys/fs/cgroup/*; do
        f=$(basename $d)
        echo "looking at $f"
        if [ "$f" = "cpuset" ]; then
                echo 1 | sudo tee -a $d/cgroup.clone_children;
        elif [ "$f" = "memory" ]; then
                echo 1 | sudo tee -a $d/memory.use_hierarchy;
        fi
        sudo mkdir -p $d/$USER
        sudo chown -R $USER $d/$USER
        # add current process to cgroup
        echo $$ > $d/$USER/tasks
done
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141211/34db9c03/attachment.html>

More information about the lxc-users mailing list