2009/8/25 Krzysztof Taraszka <krzysztof.taraszka@xxxxxxxxxxxxxx> > 2009/8/25 Serge E. Hallyn <serue@xxxxxxxxxx> > >> Quoting Daniel Lezcano (daniel.lezcano@xxxxxxx): >> > Krzysztof Taraszka wrote: >> >> Hi, >> >> >> >> I was looking for possibility to secure lxc container to do not allow >> 'root >> >> container user' from changing limits from cgroup. Right now without >> STACK64 >> >> or SELinux he can do this easily. >> >> I read the >> http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook >> >> and decided to use STACK64 kernel mechanism. >> >> Well... mounting cgroup inside container fails (great!, i am looked for >> that >> >> ;)) but networking fails too (interface bring up, sshd bring up, >> connection >> >> beetween host and container is, but 'mtr', 'ping' even 'apt-get update' >> >> fails and I do not know why). I secure my container exactly like in the >> >> cookbook. >> >> Yeah, smack's use of cipso can make things tricky, and it's possible >> things >> have changed a bit recently. Although I'm currently running smack in my >> everyday s390 kernel to test checkpointing of its labels, and networking >> is working fine. > > >> Can you give me a few details - what distro, smack policy, and precise >> kernel >> version are you using, for starters? >> > > debian lenny amd64, > kernel 2.6.30.5 > lxc-tools from git > > lxc1amd64:~# cat /etc/smackaccesses > debian _ rwa > _ debian rwa > _ host rwax > host _ rwax > > where "debian" is container, "host" is a host. > > I did this: > > for f in `find /root/rootfs.debian`; do > attr -S -s SMACK64 -V debian $f > done > > on the container fs. > > container startup script look like here: > > lxc1amd64:~# cat vs1.sh > #!/bin/sh > cp /bin/dropmacadmin /root/rootfs.debian/bin/ > attr -S -s SMACK64 -V debian /root/rootfs.debian/bin/dropmacadmin > echo debian > /proc/self/attr/current > lxc-start -n debian /bin/dropmacadmin /sbin/init > > /etc/fstab inside container look like: > > debian:~# cat /etc/fstab > tmpfs /dev/shm tmpfs defaults,smackfsroot=debian,smackfsdef=debian 0 0 > > And here is some output when I tried to do ping to the wp.pl, tried to > apt-get update and tried to ping gateway > > debian:~# ping wp.pl > PING wp.pl (212.77.100.101) 56(84) bytes of data. > From 10.177.128.1 icmp_seq=1 Parameter problem: pointer = 20 > From 10.177.128.1 icmp_seq=2 Parameter problem: pointer = 20 > ^C > --- wp.pl ping statistics --- > 2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms > > debian:~# apt-get update > Err http://ftp.debian.org lenny Release.gpg > Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 > Protocol error) > Err http://ftp.debian.org lenny/main Translation-en_US > Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 > Protocol error) > Ign http://ftp.debian.org lenny Release > Ign http://ftp.debian.org lenny/main Packages/DiffIndex > Ign http://ftp.debian.org lenny/main Packages > Err http://ftp.debian.org lenny/main Packages > Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 > Protocol error) > W: Failed to fetch http://ftp.debian.org/debian/dists/lenny/Release.gpg > Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 > Protocol error) > > W: Failed to fetch > http://ftp.debian.org/debian/dists/lenny/main/i18n/Translation-en_US.gz > Could not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 > Protocol error) > > W: Failed to fetch > http://ftp.debian.org/debian/dists/lenny/main/binary-amd64/Packages Could > not connect to ftp.debian.org:80 (130.89.149.226). - connect (71 Protocol > error) > > E: Some index files failed to download, they have been ignored, or old ones > used instead. > debian:~# ping 192.168.1.1 > PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.085 ms > unknown option 86 > 64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.136 ms > unknown option 86 > 64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.116 ms > unknown option 86 > ^C > --- 192.168.1.1 ping statistics --- > 3 packets transmitted, 3 received, 0% packet loss, time 2005ms > rtt min/avg/max/mdev = 0.085/0.112/0.136/0.022 ms > > did you changed your smack policy or you have the same as mine? > > Oh, I forgot to add that smack-utils I got from here: https://launchpad.net/~anthonywrather/+archive/ppa/+files/smack-util_0.2-0ubuntu0~ppa3.tar.gz because this link won't work: http://schaufler-ca.com/data/080616/smack-util-0.1.tar -- Krzysztof Taraszka _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
