Re: [lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device

From: Michael H. Warfield
Date: Mon May 26 2014 - 11:35:54 EST


On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote:
> On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > One question about this patch.
> >
> > Why don't you use the devices cgroup check if the root user in that namespace is allowed to use this device?
> >
> > This way you can be sure that the root in that namespace can not access devices to which the host system did not gave
> > him access to.

> That might be possible, but I don't want to require something on the
> host to whitelist the device for the container. Then loop would need to
> automatically add the device to devices.allow, which doesn't seem
> desirable to me. But I'm not entirely opposed to the idea if others
> think this is a better way to go.

I don't see any safe way to avoid it. The host has to be in control of
what devices can and can not be accessed by the container.

> Seth

Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw@xxxxxxxxxxxx
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part