Re: [lxc-devel] Detecting if you are running in a container
From: Michael Tokarev
Date: Wed Nov 02 2011 - 04:08:33 EST
On 02.11.2011 03:51, Eric W. Biederman wrote:
[]
>> And having CAP_MKNOD in container may not be that bad either, while
>> cgroup device.permission is set correctly - some nodes may need to
>> be created still, even in an unprivileged containers. Who filters
>> out CAP_MKNOD during container startup (I don't see it in the code,
>> which only removes CAP_SYS_BOOT, and even that due to current
>> limitation), and which evil things can be done if it is not filtered?
>
> If you don't filter which device nodes you a process can read/write then
> that process can access any device on the system. Steal the keyboard,
> the X display, access any filesystem, directly access memory. Basically
> the process can escalate that permission to full control of the system
> without needing any kernel bugs to help it.
There's cap_mknod, and cgroup/devices.{allow,deny}. Even with CAP_MKNOD,
container can not _use_ devices not allowed in the latter. That's what
I'm talking about - there's more fine control exist than CAP_MKNOD. And
my question was about this context - with proper cgroup-level device
control in place, what bad CAP_MKNOD have?
Thanks,
/mjt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/