On Fri, May 08, 2009 at 09:04:35AM +0900, Ryota Ozaki wrote:
> Hi,
>
> Current lxc driver unexpectedly allows users inside containers to reboot
> host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
> capability in the bounding set of the init processes in every containers.
>
> Note that the patch intends to make it easy to add further capabilities
> to drop if needed, although I'm not sure which capabilities should be
> dropped. (We might need to drop CAP_SETFCAP as well to be strict...)
Great, the dropping of capabilities has been one of our major
todo items for LXC.
ACK to this patch
Daniel
>
> Signed-off-by: Ryota Ozaki <ozaki.ryota@xxxxxxxxx>
>
> >From 0e7a7622bc6411bbe76c05c63c6e6e61d379d97b Mon Sep 17 00:00:00 2001
> From: Ryota Ozaki <ozaki.ryota@xxxxxxxxx>
> Date: Fri, 8 May 2009 04:29:24 +0900
> Subject: [PATCH] lxc: drop CAP_SYS_BOOT capability to prevent
> rebooting from inside containers
>
> Current lxc driver unexpectedly allows users inside containers to reboot
> host physical machine. This patch prevents this by dropping CAP_SYS_BOOT
> capability in the bounding set of the init processes in every containers.
> ---
> src/lxc_container.c | 30 ++++++++++++++++++++++++++++++
> 1 files changed, 30 insertions(+), 0 deletions(-)
>
> diff --git a/src/lxc_container.c b/src/lxc_container.c
> index 3946b84..37ab216 100644
> --- a/src/lxc_container.c
> +++ b/src/lxc_container.c
> @@ -32,6 +32,8 @@
> #include <sys/ioctl.h>
> #include <sys/mount.h>
> #include <sys/wait.h>
> +#include <sys/prctl.h>
> +#include <sys/capability.h>
> #include <unistd.h>
> #include <mntent.h>
>
> @@ -639,6 +641,30 @@ static int lxcContainerSetupMounts(virDomainDefPtr vmDef,
> return lxcContainerSetupExtraMounts(vmDef);
> }
>
> +
> +static int lxcContainerDropCapabilities( virDomainDefPtr vmDef )
> +{
> + int i;
> + const struct {
> + int id;
> + const char *name;
> + } caps[] = {
> +#define ID_STRING(name) name, #name
> + { ID_STRING(CAP_SYS_BOOT) },
> + };
> +
> + for (i = 0 ; i < ARRAY_CARDINALITY(caps) ; i++) {
> + if (prctl(PR_CAPBSET_DROP, caps[i].id, 0, 0, 0)) {
> + lxcError(NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> + "%s", _("failed to drop %s"), caps[i].name);
> + return -1;
> + }
> + }
> +
> + return 0;
> +}
> +
> +
> /**
> * lxcChild:
> * @argv: Pointer to container arguments
> @@ -705,6 +731,10 @@ static int lxcContainerChild( void *data )
> if (lxcContainerEnableInterfaces(argv->nveths, argv->veths) < 0)
> return -1;
>
> + /* drop a set of root capabilities */
> + if (lxcContainerDropCapabilities(vmDef) < 0)
> + return -1;
> +
> /* this function will only return if an error occured */
> return lxcContainerExecInit(vmDef);
> }
> --
> 1.6.0.6
>
> --
> Libvir-list mailing list
> Libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list