[systemd-devel] What makes systemd-nspawn "not suitable for secure container setups"?

[microcai]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

于 2011年04月23日 12:16, Josh Triplett 写道:
> On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote:
>> 于 2011年04月23日 10:55, Josh Triplett 写道:
>>> The systemd-nspawn manpage lists the various mechanisms used to isolate
>>> the container, and then says "Note that even though these security
>>> precautions are taken systemd-nspawn is not suitable for secure
>>> container setups. Many of the security features may be circumvented and
>>> are hence primarily useful to avoid accidental changes to the host
>>> system from the container."
>>>
>>> How can a process in a systemd-nspawn container circumvent the container
>>
>> remount /proc and /sys
> 
> Ah, good point.  So, root inside the container can trivially circumvent
> the container that way.  Any way to prevent that with current kernel
> support, or would fixing this require additional kernel changes to lock
> down other /proc and /sys mounts?


OpenVZ is what you need that way. OpenVZ is much like systemd-nspawn,
but with more secure. So it can be used to provide VPS ;)

> 
> That particular problem only applies if running code within the
> container as root.  How about if running code as an unprivileged user?
> With that addition, does systemd-nspawn provide a secure container
> (modulo local privilege escalation vulnerabilities)?
> 
> Thanks,
> Josh Triplett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQEcBAEBAgAGBQJNsmPCAAoJEKT4Uz7oTANZ5DEH/1xAJvN0UqGv4JNMTuy/Hl8/
P7+6BkmhbE8wXtQt37z5QQNaDoNKNiTrdkppPWboFCsf4ulZyf02jkJGqN0BJoWg
IC9xTWv2dE8RK+r3cnD1Nx0jpHuTq56Bo/W1UGeY+JKKNC/Ox8M81i+7M8xKrOB7
zhNnElNRTnHOHmzqSlcC1ODMnDw69lVpxZ0HusxpTAKLp1ms49PlhnFcXokHsD6/
GwhSNR7zjlimxUvoVbOPXqiIty37LgMn/Sl6+kvzWsngvCyBzpURmo9tp785iijL
ZxtX5AIo1rlgFTt8TXphp3477M0P3Nfmg9R1iRJGD19631etr7IJYF4hd+x3Z5A=
=meKC
-----END PGP SIGNATURE-----