[lxc-users] unprivileged container + setcap not working

Philip ultrafit67 at gmail.com
Mon Dec 18 01:28:44 UTC 2017


Yes, no need to set init_uid in this situation (unprivileged container +
setcap),
lxc.network.type = none --> CLONE_NEWNET is not set when clone --> when
create raw socket, kernel cap_capable(), ns != cred->user_ns -->
cap_raised() is not checked --> unprivileged testapp get EPERM error
Does cap_capable() need to be patched for this case?

On Sat, Dec 16, 2017 at 1:07 AM Serge E. Hallyn <serge at hallyn.com> wrote:

> Quoting Philip (ultrafit67 at gmail.com):
> > Please ignore step 4, lxc.id_map only allow ONE uid/gid, so
> > lxc_switch_uid_gid will fail
>
> I'm not sure what you mean by that, but your id mapping makes
> uid 2000 on the host map to 0 in the container, and that is the
> only uid in the container.
>
> So lxc.init_uid would need to be 0 - the id in the container.
>
> > On Fri, Dec 15, 2017 at 10:17 AM Philip <ultrafit67 at gmail.com> wrote:
> >
> > > Hi,
> > >
> > > I want to use unprivileged container + setcap to set limited
> capabilities,
> > > but can not success, here is my test (lxc-1.0.8 and lxc-2.0.8):
> > >
> > > testapp:
> > > int ret = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
> > > fprintf(stderr, "socket ret %d, %s\n", ret, strerror(errno));
> > >
> > > 1. add net_raw capability
> > > setcap cap_net_admin,cap_net_raw=eip ./testapp
> > >
> > > 2. switch to uid 2000, execute testapp
> > > $ ./testapp
> > > socket ret 3, Success
> > >
> > > 3. use unprivileged container to run testapp
> > > lxc config:
> > > lxc.network.type = none
> > > lxc.id_map = u 0 2000 1
> > > lxc.id_map = g 0 2000 1
> > >
> > > sudo lxc-execute -n testapp -f config -P /files/testapp
> > > ....
> > > socket ret -1, Operation not permitted
> > >
> > > 4. using lxc-2.0.8, add init_uid/init_gid
> > > lxc.init_uid = 2000
> > > lxc.init_gid = 2000
> > >
> > > lxc-execute: utils.c: lxc_switch_uid_gid: 2069 Invalid argument -
> Failed
> > > to switch to gid 2000.
> > >
> > > Can anyone help, what is going wrong?
> > >
>
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20171218/2364600d/attachment.html>


More information about the lxc-users mailing list