[PATCH] lxc: Stop mouning /proc and /sys read only

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mounting parts of /proc and /sys read only provides no security
without user namespaces, since root has privilege to remount
them writable again. When user namepaces are enable, if offers
no security benefit, since the UID remapping already prevents
write access to the correct areas.
---
 src/lxc/lxc_container.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 380d136..a764865 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -850,11 +850,18 @@ typedef struct {
 } virLXCBasicMountInfo;
 
 static const virLXCBasicMountInfo lxcBasicMounts[] = {
+    /*
+     * Leave these read-write. In non-user-namespace scenario, making them
+     * read-only provides no security since root can just remount them
+     * writeable again. In a user-namespace scenario, the UID/GID mappings
+     * will already prevent root from doing anything bad to files, so
+     * there's no gain to making them read-only
+     */
     { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false },
-    { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true },
-    { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true },
-    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
+    { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
+    /* These two are marked RDONLY not as security protection mechanism,
+       but to indicate to userspace that LSMs are not available inside
+       the container */
     { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
 #if WITH_SELINUX
     { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true, false },
-- 
2.1.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]