subject:"Bug#770901\: lxc\: container can suspend the parent system via systemctl without restrictions"

Bug#770901: lxc: container can suspend the parent system via systemctl without restrictions

2014-12-03 Thread Kenshi Muto

I noticed using lxc.mount.auto feature solved (sysfs and proc will be
mounted as read-only system).

/usr/share/lxc/config/debian.common.conf

--- debian.common.conf  2014-10-14 03:46:44.0 +0900
+++ debian.common.conf  2014-12-03 20:59:31.414601423 +0900
@@ -2,8 +2,7 @@
 lxc.pivotdir = lxc_putold
 
 # Default mount entries
-lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
-lxc.mount.entry = sysfs sys sysfs defaults 0 0
+lxc.mount.auto = proc sys cgroup
 
 # Default console settings
 lxc.tty = 4


In my opinion it may be a serious problem that container users
have a ability to modify everything of /proc or /sys of parent system.

Thanks,
-- 
Kenshi Muto
km...@debian.org


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#770901: lxc: container can suspend the parent system via systemctl without restrictions

2014-11-24 Thread Kenshi Muto

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Package: lxc
Version: 1:1.0.6-3
Severity: important

Dear Maintainer,

I noticed lxc container could suspend parent system by just typing
systemctl suspend when both parent system and container used systemd.
(Yes, usually we don't want this behavior...)

# lxc-create -n mylxc -t debian -- -r jessie
# lxc-start -n mylxc
mylxc# systemctl suspend
(parent system goes suspend)

I'm not sure but CAP_BLOCK_SUSPEND seems a capability for the restriction
likely. Even so, lxc 1.0.6-3 doesn't support block_suspend for cap.drop.

Thanks,
- --
Kenshi Muto
km...@debian.org

- -- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lxc depends on:
ii  init-system-helpers  1.21
ii  libapparmor1 2.9.0-2
ii  libc62.19-13
ii  libcap2  1:2.24-6
ii  libseccomp2  2.1.1-1
ii  libselinux1  2.3-2
ii  multiarch-support2.19-13
ii  python3  3.4.2-1

Versions of packages lxc recommends:
ii  debootstrap  1.0.64
ii  openssl  1.0.1j-1
ii  rsync3.1.1-2+b1

Versions of packages lxc suggests:
pn  lua5.2  none

- -- Configuration Files:

- -- debconf information:
  lxc/auto: true
  lxc/title:
  lxc/shutdown: /usr/bin/lxc-halt
  lxc/directory: /var/lib/lxc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Processed by Mailcrypt 3.5.9 http://mailcrypt.sourceforge.net/

iQIcBAEBCgAGBQJUc8qeAAoJEB0hyD3EUuD8aOwP/AzixAaCrPWlFAj5s3e/PYO9
TZIzJ9AKWjiL21W4l1WaGwcBF2mlLtArVSNFzlrp+K6wz0lQQCpyz1lcVw4dsuMW
DesNcr4Uql8chBhG171vIjy6mdPelhj6etAMf/dO8qKaa1arii2XqqzAvLAtCBZe
c9fbp8N1Qp2w0bdc8xzIjUf/Zc8AHqJN93rS2A1pB5er2IBSAPXRzuMFfyonLegK
VQkUMssVrVVLvUTNbfCzuihSDkp3F2rkAGfF56mMaxTg0oIq4OpWcTKaX8+3FRau
1EtzDhHPcn+ZMncflahhkAjr6EN/PpNPYT5oRxJNYEldGb5goC8Jo4M5jpgchIMH
2MuPbEex5nqIxoRipNcTidhJJ0sjK/T/ZbxUPf4b0WskBTW7PDMyFkzN4pMMe00l
QcUaIhJXadQ1VAKBWMXfne6+EWShxNQUjZ5QmuISbzi2mZpw0msPn4LsjBvlZM2x
gu9Qz0AiUoeq4nBrxIYBuOgYqbUo2KolBZkbAWjE5XYbMGeSGRIi4TdNKOgOlvQs
wJQhFCbH9GfW+7vuRFn3VdETNJw4J5/AzIM4nqIgFCDLpcP6S8NwLN0XWsnJmbMQ
t6KIGarcw8QuXzgcdnjsUSBA8Myc91gURZcDNLfzkwzU90TU7y1Fbs8iihNtNC2A
nxoWhYFFFWKKocbKQ2o2
=VjWr
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#770901: lxc: container can suspend the parent system via systemctl without restrictions

Bug#770901: lxc: container can suspend the parent system via systemctl without restrictions

2 matches

Site Navigation

Mail list logo

Footer information