Add a nesting.conf which can be included to support nesting containers (v2)

Newer kernels have added a new restriction:  if /proc or /sys on the
host has files or non-empty directories which are over-mounted, and
there is no /proc which fully visible, then it assumes there is a
"security" reason for this.  It prevents anyone in a non-initial user
namespace from creating a new proc or sysfs mount.

To work around this, this patch adds a new 'nesting.conf' which can be
lxc.include'd from a container configuration file.  It adds a
non-overmounted mount of /proc and /sys under /dev/.lxc, so that the
kernel can see that we're not trying to *hide* things like /proc/uptime.
and /sys/devices/virtual/net.  If the host adds this to the config file
for container w1, then container w1 will support unprivileged child
containers.

The nesting.conf file also sets the apparmor profile to the with-nesting
variant, since that is required anyway.  This actually means that
supporting nesting isn't really more work than it used to be, just
different.  Instead of adding

lxc.aa_profile = lxc-container-default-with-nesting

you now just need to

lxc.include = /usr/share/lxc/config/nesting.conf

(Look, fewer characters :)

Finally, in order to maintain the current apparmor protections on
proc and sys, we make /dev/.lxc/{proc,sys} non-read/writeable.
We don't need to be able to use them, we're just showing the
kernel what's what.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/config/apparmor/profiles/lxc-default-with-nesting b/config/apparmor/profiles/lxc-default-with-nesting
index 03325aae11abcaf4c0fa5ac07d0bb5a3f20692d9..bd7078a8476dd23dda166235e2853932a3166f5d 100644 (file)
--- a/config/apparmor/profiles/lxc-default-with-nesting
+++ b/config/apparmor/profiles/lxc-default-with-nesting
@@ -8,6 +8,8 @@ profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_de
 #  Uncomment the line below if you are not using cgmanager
 #  mount fstype=cgroup -> /sys/fs/cgroup/**,
 
+  deny /dev/.lxc/proc/** rw,
+  deny /dev/.lxc/sys/** rw,
   mount fstype=proc -> /var/cache/lxc/**,
   mount fstype=sysfs -> /var/cache/lxc/**,
   mount options=(rw,bind) /var/cache/lxc/**/dev/shm/ -> /var/cache/lxc/**/run/shm/,

diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index 98441c37a3608f47dabdacedddbc1ff65ba6e2b0..ad136faa50590080bc9af25fe969ce0cb47939e6 100644 (file)
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -13,6 +13,7 @@ templatesconfig_DATA = \
        gentoo.common.conf \
        gentoo.moresecure.conf \
        gentoo.userns.conf \
+       nesting.conf \
        oracle.common.conf \
        oracle.userns.conf \
        plamo.common.conf \

diff --git a/config/templates/nesting.conf.in b/config/templates/nesting.conf.in
new file mode 100644 (file)
index 0000000..b712ef6
--- /dev/null
+++ b/config/templates/nesting.conf.in
@@ -0,0 +1,8 @@
+# Use a profile which allows nesting
+lxc.aa_profile = lxc-container-default-with-nesting
+
+# Add uncovered mounts of proc and sys, else unprivileged users
+# cannot remount those
+
+lxc.mount.entry = proc dev/.lxc/proc proc create=dir,optional 0 0
+lxc.mount.entry = sys dev/.lxc/sys sysfs create=dir,optional 0 0

diff --git a/configure.ac b/configure.ac
index c0f5daf57c4b5e8651cb6d678f4641a35dd06faa..207043bb2708e0dca2b694236033323baa2e2186 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -605,6 +605,7 @@ AC_CONFIG_FILES([
        config/templates/gentoo.common.conf
        config/templates/gentoo.moresecure.conf
        config/templates/gentoo.userns.conf
+       config/templates/nesting.conf
        config/templates/oracle.common.conf
        config/templates/oracle.userns.conf
        config/templates/plamo.common.conf