brainstorming for UDS-N - Cloud Infrastructure
serge.hallyn at canonical.com
Wed Sep 29 17:02:34 BST 2010
Quoting Jamie Strandboge (jamie at canonical.com):
> On Tue, 2010-09-28 at 20:05 -0400, Stéphane Graber wrote:
> > On Tue, 2010-09-28 at 21:59 +0200, Allison Randal wrote:
> > Containers offer a lot of flexibility at a very low cost and can be used
> > to greatly improve everyone's security even on the desktop.
> > That's really something I believe we should focus more on and I know
> > there's an existing interest from both the Server and Security team.
> > We also have the chance to have Daniel Lezcano (upstream for LXC) at UDS
> > this time.
> AIUI, containers as currently implemented in the vanilla kernel should
> not be considered secure at this point (at least for root). There are
> apparently rather large patchsets that the different container upstreams
> use to address these issues. I'm not up on all the details though, but
> they can surely be googled.
Well, root in a container needs to be constrained by an LSM at the moment
(and for the foreseeable future) because user namespaces are not accounted
for when calculating file permissions. But that's doable, and I've done
and documented it both with SELinux and SMACK. The real issue is the
question of having a single kernel serving all the containers. No LSM
and no container feature is going to stop a hostile root user in a container
from abusing a 64/32-bit compat syscall hole. But it still adds another
layer to your defense in depth. Just like your vmware video driver is
likely a free ticket for a guest user to a host root shell, but vmware
is considered by most to be a security feature.
More information about the ubuntu-devel