ServerNContainerizePtraceKill
Launchpad Entry: cloud-server-n-containerize-ptrace-kill
Created:
Contributors: serge-hallyn
Packages affected: linux-kernel
Summary
Root powers, in Linux, are supposed to only come from (a) the possession of POSIX capabilities, and (b) being the owner of critical files like /etc/passwd.
This work is to push patches upstream to (a) make POSIX capabilities targeted at user namespaces, and (b) make root in a container user namespace be recognized as not being the global root user.
This goes a long way to making containers more secure.
Release Note
The root user in containers is now properly contained.
Rationale
For containers to be useful, we want it to be possible to be root in a container without 'owning' the host. For instance, being root in a container allows you to mount the cgroup filesystem and make changes to your cgroup-imposed limits (cpu, memory, io, and allowed devices).
User stories
Joe wants to run some potentially destructive tests in a container, without risking the tests adversely affecting hist host.
Assumptions
Design
Implementation
Test/Demo Plan
Unresolved issues
BoF agenda and discussion
UDS Natty discussion
== Containerize ptrace/kill == The security team has an interest in smarter ptrace controls, however these do not mesh with this work. They want to mostly prevent ptrace, but allow ptrace_traceme (ab)use by/for debuggers, tracers, and fault handlers. Containers will prevent tasks inside the container from allowing ptrace by a task outside the container. User namespaces would likely be too coarse-grained, globbing together an entire KDE or wine session, allowing all tasks in one such session to ptrace each other. However, the containerization of kill and ptrace are deemed 'a good thing.' Kees recommends pushing the patchset.
ServerNContainerizePtraceKill (last edited 2010-11-09 16:54:33 by 64)