dbus and Linux Containers
Sungbae Yoo
sungbae.yoo at samsung.com
Thu Apr 2 19:35:11 PDT 2015
Hi,
I want the container to share the "outer" system bus also.
But this has some problems :
1. Sending method calls or signals to another container may make security vulnerability.
2. It is impossible to send a signal to the container which only I want.
I think this problems can be solved by using dbus policy.
So, I made some dbus policies for the container to share the "outer" system bus.
I'd like to suggest this "DBus namespace policy" you.
* This will operate as follows :
DBus namespace policy can know current namespace by reading /proc/[current PID]/cpuset.
This has 3 targets. target means where to apply dbus policies.
- private : current namespace only
- protected : current namespace + child namespaces + parent namespaces
- pulblic : all of namespacess
* This priority is as follows :
default < namespace < mandatory
* This can be applied as follows :
1. If you want to send signals or method calls
to outside of containers and container 1 from container 1,
to outside of containers and container 2 from container 2,
......
to outside of containers and container N from container N,
to all of containers from outside of containers,
Just put this in system bus configuration file.
<policy namespace="protected">
<allow send_type="method_call"/>
<allow send_type="signal"/>
<allow send_requested_reply="true" send_type="method_return"/>
<allow send_requested_reply="true" send_type="error"/>
</policy>
2. And if you want to send signals to specific container from outside of container.
Just set "protected" and send signals in specific container by using lxc-attach
How do you think this suggestion?
Thanks,
Best regards, Sungbae Yoo.
More information about the dbus
mailing list