I didn't know where to post this but I had an idea, most likely of little use but I thought I would put it out there. Part of this idea is inspired by FUSE, which allows creating a user space filesystem but also takes care of basic security such as not allowing SUID.
I had an idea for a DUSE - Device driver in user space. This would probably not work without some sort of kernel support as well. Like FUSE, a DUSE application gets run by a normal user, and if that user is a member of the duse group, that user can create device files. For security the device files can not be created under the host /dev, but could be created under a different location which would eventually become the container's /dev. Any reads and writes to the device file, and IOCTL calls would be directed to the application. The device file gets created as the launching user/group. lxc-device simply make a device available within a container. This a couple allow several potential features. First, a DUSE application could be created to function as a filter before interacting in some way with the host. A virtual device could be exposed to a container, but any interactions with that device from the container are monitored and only certain interactions may be allowed to pass through and interact with the host. How this works would be device specific. Second, a DUSE application could provide a device that doesn't actually exist, a virtual device. Finally, such a feature might have use outside of containers as well. To support this within a container, special configurations could be specified which would allow launching of the DUSE application as a specific user after any user namespaces are set up, but before the rest of the container is set up. This would launch the application from the host filesystem before any mount point changes, but allow specifying which user,group the device file is owned as and what permissions are set on the device file. Brian Allen Vanderburg II
signature.asc
Description: OpenPGP digital signature
_______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users