Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrictions for projects #6170

Open
stgraber opened this issue Sep 9, 2019 · 0 comments

Comments

@stgraber
Copy link
Member

commented Sep 9, 2019

Somewhat similar to #6169, another big part of delegating access to LXD to users is being able to restrict them to operations that will not allow attacks to the host system.

For this we should introduce a new restrict key namespace that's used to block access to a variety of features, an initial set would be:

  • restrict (boolean, if enabled, all restrictions apply)
  • restrict.containers.privilege (one of all, unprivileged, isolated, default unprivileged)
  • restrict.containers.nesting (boolean)
  • restrict.containers.lowlevel (one of all or none, default none)
  • restrict.devices.disk (one of all, volumes, none, default volumes)
  • restrict.devices.gpu (one of all or none, default none)
  • restrict.devices.usb (one of all or none, default none)
  • restrict.devices.nic (one of all, managed or none, default managed)
  • restrict.devices.infiniband (one of all or none, default none)
  • restrict.devices.unix-char (one of all or none, default none)
  • restrict.devices.unix-block (one of all or none, default none)

The idea is that if a project has restrict set to true, all restrictions apply such that if we are to add new restrictions to LXD, things default closed rather than default open.

The lowlevel option above should restrict:

  • raw.idmap
  • raw.apparmor
  • raw.lxc
  • raw.seccomp
  • linux.kernel_modules
  • raw.idmap.base
  • volatile.*
@stgraber stgraber added the Feature label Sep 9, 2019
@stgraber stgraber added this to the soon milestone Sep 9, 2019
@stgraber stgraber pinned this issue Sep 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
You can’t perform that action at this time.