New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

conf: write "deny" to /proc/[pid]/setgroups #2067

Merged
merged 4 commits into from Jan 4, 2018

Conversation

3 participants
@brauner
Member

brauner commented Jan 3, 2018

When fully unprivileged users run a container that only maps their own {g,u}id
and they do not have access to setuid new{g,u}idmap binaries we will write the
idmapping directly. This however requires us to write "deny" to
/proc/[pid]/setgroups otherwise any write to /proc/[pid]/gid_map will be
denied.

On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.

Enhances #2033.

Signed-off-by: Christian Brauner christian.brauner@ubuntu.com
Cc: Felix Abecassis fabecassis@nvidia.com
Cc: Jonathan Calmels jcalmels@nvidia.com

@brauner brauner requested a review from hallyn Jan 3, 2018

@flx42

This comment has been minimized.

Show comment
Hide comment
@flx42

flx42 Jan 3, 2018

Contributor

On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.

This is great, thanks!

Contributor

flx42 commented Jan 3, 2018

On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.

This is great, thanks!

brauner added some commits Jan 3, 2018

conf: write "deny" to /proc/[pid]/setgroups
When fully unprivileged users run a container that only maps their own {g,u}id
and they do not have access to setuid new{g,u}idmap binaries we will write the
idmapping directly. This however requires us to write "deny" to
/proc/[pid]/setgroups otherwise any write to /proc/[pid]/gid_map will be
denied.

On a sidenote, this patch enables fully unprivileged containers. If you now set
lxc.net.[i].type = empty no privilege whatsoever is required to run a container.

Enhances #2033.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Felix Abecassis <fabecassis@nvidia.com>
Cc: Jonathan Calmels <jcalmels@nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
conf: non-functional changes
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
conf: rework userns_exec_1()
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
cgfsng: only establish mapping once
When we deleted cgroups for unprivileged containers we used to allocate a new
mapping and clone a new user namespace each time we delete a cgroup. This of
course meant - on a cgroup v1 system - doing this >= 10 times when all
controllers were used. Let's not to do this and only allocate and establish a
mapping once.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
@@ -1284,7 +1284,7 @@ static int rmdir_wrapper(void *data)
SYSERROR("Failed to setgid to 0");
if (setresuid(nsuid, nsuid, nsuid) < 0)
SYSERROR("Failed to setuid to 0");
if (setgroups(0, NULL) < 0)
if (setgroups(0, NULL) < 0 && errno != EPERM)

This comment has been minimized.

@hallyn

hallyn Jan 4, 2018

Member

So we'll ignore failures to write due to eperm. Is that ok?

@hallyn

hallyn Jan 4, 2018

Member

So we'll ignore failures to write due to eperm. Is that ok?

This comment has been minimized.

@brauner

brauner Jan 4, 2018

Member

It should only ever mean that there's a "deny" in /proc/[pid]/setgroups but I don't want to open this and read it every time. But we could.

@brauner

brauner Jan 4, 2018

Member

It should only ever mean that there's a "deny" in /proc/[pid]/setgroups but I don't want to open this and read it every time. But we could.

@hallyn hallyn merged commit a3f5fbb into lxc:master Jan 4, 2018

4 checks passed

Branch target Branch target is correct
Details
Signed-off-by All commits signed-off
Details
Testsuite Testsuite passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment