dbus and Linux Containers

Sungbae Yoo sungbae.yoo at samsung.com
Thu Apr 2 19:35:11 PDT 2015

I want the container to share the "outer" system bus also.

But this has some problems :
1. Sending method calls or signals to another container may make security vulnerability.
2. It is impossible to send a signal to the container which only I want.

I think this problems can be solved by using dbus policy.

So, I made some dbus policies for the container to share the "outer" system bus.
I'd like to suggest this "DBus namespace policy" you.

* This will operate as follows :

DBus namespace policy can know current namespace by reading /proc/[current PID]/cpuset.

This has 3 targets. target means where to apply dbus policies.
- private : current namespace only
- protected : current namespace + child namespaces + parent namespaces
- pulblic : all of namespacess

* This priority is as follows :
default < namespace < mandatory

* This can be applied as follows :

1. If you want to send signals or method calls
to outside of containers and container 1 from container 1,
to outside of containers and container 2 from container 2,
to outside of containers and container N from container N,
to all of containers from outside of containers,
Just put this in system bus configuration file.

<policy namespace="protected"> 
    <allow send_type="method_call"/> 
    <allow send_type="signal"/> 
    <allow send_requested_reply="true" send_type="method_return"/> 
    <allow send_requested_reply="true" send_type="error"/> 

2. And if you want to send signals to specific container from outside of container.
Just set "protected" and send signals in specific container by using lxc-attach

How do you think this suggestion?

Best regards, Sungbae Yoo.

More information about the dbus mailing list