This introduces a new optional security feature to the LXC monitor process.
With this enabled, the monitor API used for communication between the
CLI (or other clients) and the container monitor will now run in a
dedicated thread and have a Landlock policy applied to that thread.
The thread trick is required as the monitor process is also responsible
for running post-stop tasks (hooks) which need full privileges as well
as also handling full container reboots which similarly require full
privileges.
The policy is pretty simple at this point. It allows access to /dev/pts,
/dev/ptmx and /sys/fs/cgroup as those are the few paths that the monior
actually needs to open (as opposed to just handing out existing
filedescriptors).
Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
want_thread_safety = get_option('thread-safety')
want_memfd_rexec = get_option('memfd-rexec')
want_dbus = get_option('dbus')
+want_landlock_monitor = get_option('landlock-monitor')
# Set sysconfdir
fs = import('fs')
srcconf.set10('HAVE_DBUS', false)
endif
+if want_landlock_monitor
+ srcconf.set10('HAVE_LANDLOCK_MONITOR', true)
+else
+ srcconf.set10('HAVE_LANDLOCK_MONITOR', false)
+endif
+
## Time EPOCH.
sh = find_program('sh')
date = find_program('date')
option('dbus', type: 'boolean', value: true,
description: 'use dbus')
+option('landlock-monitor', type: 'boolean', value: false,
+ description: 'use Landlock to protect the monitor API')
+
option('specfile', type: 'boolean', value: true,
description: 'whether to prepare RPM spec')
projects / thirdparty / lxc.git / commitdiff
