Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to access /sys/kernel in privileged container #2661

Closed
acompagn opened this issue Nov 28, 2016 · 6 comments

Comments

@acompagn
Copy link

@acompagn acompagn commented Nov 28, 2016

The template below is mostly useful for bug reports and support questions.
Feel free to remove anything which doesn't apply to you and add more information where it makes sense.

Required information

  • Distribution: Ubuntu
  • Distribution version: 16.04.1
  • The output of "lxc info" or if that fails:
    driver: lxc
    driverversion: 2.0.5
    kernel: Linux
    kernelarchitecture: x86_64
    kernelversion: 4.4.0-47-generic
    server: lxd
    serverpid: 8256
    serverversion: 2.0.5
    storage: zfs
    storageversion: "5"

Issue description

If I set my container as privileged, I cannot access /sys/kernel from the container:

root@vppjordan:~# ls /sys/kernel/
ls: cannot open directory /sys/kernel/: Permission denied

Here is the list of permissions of /sys folder in the container:

root@vppjordan:~# ls -la /sys/
total 2
dr-xr-xr-x 13 root root 0 Nov 25 20:06 .
drwxr-xr-x 22 root root 22 Nov 25 22:13 ..
drwxr-xr-x 2 root root 0 Nov 25 20:06 block
drwxr-xr-x 33 root root 0 Nov 25 20:06 bus
drwxr-xr-x 63 root root 0 Nov 25 20:06 class
drwxr-xr-x 4 root root 0 Nov 25 20:06 dev
drwxr-xr-x 12 root root 0 Nov 25 20:06 devices
drwxr-xr-x 5 root root 0 Nov 25 20:06 firmware
drwxr-xr-x 9 root root 0 Nov 25 20:06 fs
drwxr-xr-x 2 root root 0 Nov 25 20:06 hypervisor
drwxr-xr-x 10 root root 0 Nov 25 20:06 kernel
drwxr-xr-x 158 root root 0 Nov 25 20:06 module
drwxr-xr-x 2 root root 0 Nov 25 20:06 power

Here is the container's lxc.conf file:

lxc.cap.drop = sys_time sys_module sys_rawio mac_admin mac_override
lxc.mount.auto = proc:mixed sys:mixed
lxc.autodev = 1
lxc.pts = 1024
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file,optional
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none rbind,create=dir,optional
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none rbind,create=dir,optional
lxc.mount.entry = /sys/kernel/security sys/kernel/security none rbind,create=dir,optional
lxc.include = /usr/share/lxc/config/common.conf.d/
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = b : m
lxc.cgroup.devices.allow = c : m
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.logfile = /var/log/lxd/vppjordan/lxc.log
lxc.loglevel = 0
lxc.arch = linux64
lxc.hook.pre-start = /usr/bin/lxd callhook /var/lib/lxd 3 start
lxc.hook.post-stop = /usr/bin/lxd callhook /var/lib/lxd 3 stop
lxc.tty = 0
lxc.utsname = vppjordan
lxc.mount.entry = /var/lib/lxd/devlxd dev/lxd none bind,create=dir 0 0
lxc.aa_profile = lxd-vppjordan
</var/lib/lxd>//&:lxd-vppjordan_:
lxc.seccomp = /var/lib/lxd/security/seccomp/vppjordan
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.veth.pair = veth-vppjordan0
lxc.network.hwaddr = 00:16:3e:00:00:06
lxc.network.name = eth0
lxc.network.type = veth
lxc.network.flags = up
lxc.network.veth.pair = veth1
lxc.network.hwaddr = 00:16:3e:00:00:02
lxc.network.name = eth1
lxc.network.type = veth
lxc.network.flags = up
lxc.network.veth.pair = veth2
lxc.network.hwaddr = 00:16:3e:00:00:03
lxc.network.name = eth2
lxc.rootfs.backend = dir
lxc.rootfs = /var/lib/lxd/containers/vppjordan/rootfs
lxc.mount.entry = /var/lib/lxd/devices/vppjordan/unix.dev-net-tun dev/net/tun none bind,create=file
lxc.mount.entry = /var/lib/lxd/shmounts/vppjordan dev/.lxd-mounts none bind,create=dir 0 0
lxc.mount.entry = hugetlbfs dev/hugepages hugetlbfs rw,relatime,create=dir 0 0
lxc.cgroup.devices.allow = c 10:200 rwm_

@brauner

This comment has been minimized.

Copy link
Member

@brauner brauner commented Nov 28, 2016

This is a security feature. AppArmor will prevent you from accessing this directory. Since you're a privileged container you could easily mess up the host by writing to various files in this directory.

@stgraber

This comment has been minimized.

Copy link
Member

@stgraber stgraber commented Nov 28, 2016

If you really need to access it, you can turn apparmor off, though note that giving direct access to things like debugfs will allow to escape the container and become root on the host.

To turn off apparmor, you can do:

lxc config set vppjordan raw.lxc lxc.aa_profile=unconfined
lxc restart vppjordan
@acompagn

This comment has been minimized.

Copy link
Author

@acompagn acompagn commented Nov 29, 2016

Thank you for your suggestions. My application actually just needs to read on /sys/kernel/mm/hugepages to get information about hugepages. Is there a way that I can just allow reading in such directory without disabling apparmor?

@stgraber

This comment has been minimized.

Copy link
Member

@stgraber stgraber commented Nov 29, 2016

@acompagn unfortunately, not really... We do allow you to append to the generated apparmor profile with raw.apparmor but because apparmor lacks an "allow" keyword which would override any existing "deny" pattern, you can't unblock something which was directly blocked :(

An option, but unfortunately a rather painful one, would be to copy the generated apparmor profile (from /var/lib/lxd/security/apparmor/...) to /etc/apparmor.d/, change its name and allow the path you need by changing the patterns in there, then have apparmor load that profile ("/etc/init.d/apparmor reload") and finally set "raw.lxc" to "lxc.aa_profile=name-of-your-profile".

Basically forcing LXD to use a pre-existing profile that you control rather than generate a new one for you.

@brauner

This comment has been minimized.

Copy link
Member

@brauner brauner commented Nov 30, 2016

Since there's nothing that really that can be done in LXD itself, I think we can close this issue. :)

@brauner brauner closed this Nov 30, 2016
@acompagn

This comment has been minimized.

Copy link
Author

@acompagn acompagn commented Nov 30, 2016

Thank you, I got it working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.