[lxc-users] Nested container in unpriviledged container

Xavier Gendre gendre.reivax at gmail.com
Mon Jun 15 18:51:49 UTC 2015 

Le 15/06/2015 17:17, Serge Hallyn a écrit :
> Quoting Xavier Gendre (gendre.reivax at gmail.com):
>> Hi,
>>
>> i wanted to run a container in an unpriviledged container and i am
>> glad to succes in doing it. The point is that i am not sure if what
>> i did is acceptable from the security point of view or not...
>>
>> Here are the steps i did:
>>
>> 1) create an unpriviledged container (lxc.id_map, ...) called 'test'.
>>
>> 2) mount a tmpfs to /sys/fs/cgroup in 'test' by adding this line in
>> its config file:
>>
>> lxc.mount.auto = cgroup:mixed
>>
>> 3) create a basic container called 'p1' with the download template
>> as root in 'test'.
>>
>> 4) in the host, i chown the cgroup hierarchy of 'test' to give it to
>> the user id mapped to the id 0 in 'test' (this id is 362144 in my
>> example),
>>
>> for T in `ls /sys/fs/cgroup`; do
>>    chown -R 362144:362144 /sys/fs/cgroup/$T/lxc/test
>> done
>>
>> 5) succesfully start the container 'p1' in 'test' :-)
>>
>> I am not an expert with cgroups and i am wondering if i am letting
>> the devil enters in my home with that...
>>
>> So, what is your opinion: is it a possible security break or is it safe?
>
> Two things to make this safer
>
> 1. only chown the actual directory /sys/fs/cgroup/$T/lxc/test and maybe
> its 'tasks' and 'cgroup.procs' files.  That way the container can create
> sub-cgroups but cannot raise its own limits.
>
> 2. Only do this for the controllers you definately need.  Freezer and
> memory for example.  Then set lxc.cgroup.use in /etc/lxc/lxc.conf
> (see lxc.system.conf(5)).
>
> -serge

Hello Serge,

thank you for your advices. Indeed, chowning only the directories is 
sufficient to start the nested container. I did not have to chown 
'tasks' and 'cgroup.procs' in order to simply start it.

Your second point is more obscur for me... For now, i have to chown all 
the controllers:

'blkio' 'cpu,cpuacct' 'cpuset' 'devices' 'freezer' 'net_cls,net_prio' 
'perf_event'

When you say 'need', it applies to the container 'test' or to 'p1' in my 
example? If i plan to allow quite general containers to run in my 
unpriviledged container, all the controllers should be chowned or is 
there some that are definitely not needed?

Thanks,
Xavier

More information about the lxc-users mailing list