ServerNContainerizePtraceKill

Summary

Root powers, in Linux, are supposed to only come from (a) the possession of POSIX capabilities, and (b) being the owner of critical files like /etc/passwd.

This work is to push patches upstream to (a) make POSIX capabilities targeted at user namespaces, and (b) make root in a container user namespace be recognized as not being the global root user.

This goes a long way to making containers more secure.

Release Note

The root user in containers is now properly contained.

Rationale

For containers to be useful, we want it to be possible to be root in a container without 'owning' the host. For instance, being root in a container allows you to mount the cgroup filesystem and make changes to your cgroup-imposed limits (cpu, memory, io, and allowed devices).

User stories

Joe wants to run some potentially destructive tests in a container, without risking the tests adversely affecting hist host.

Assumptions

Design

Implementation

Test/Demo Plan

Unresolved issues

BoF agenda and discussion

UDS Natty discussion

== Containerize ptrace/kill ==

The security team has an interest in smarter ptrace controls,
however these do not mesh with this work.  They want to
mostly prevent ptrace, but allow ptrace_traceme (ab)use
by/for debuggers, tracers, and fault handlers.  Containers
will prevent tasks inside the container from allowing ptrace
by a task outside the container.  User namespaces would likely
be too coarse-grained, globbing together an entire KDE or
wine session, allowing all tasks in one such session to ptrace
each other.

However, the containerization of kill and ptrace are deemed
'a good thing.'  Kees recommends pushing the patchset.

CategorySpec

ServerNContainerizePtraceKill (last edited 2010-11-09 16:54:33 by 64)