dbus and Linux Containers

Kyungmin Park kmpark at infradead.org
Mon Apr 6 23:44:54 PDT 2015 

+ adding Simon.

it's another approach. any comments?

Thank you,
Kyungmin Park

On Fri, Apr 3, 2015 at 11:35 AM, Sungbae Yoo <sungbae.yoo at samsung.com> wrote:
> Hi,
> I want the container to share the "outer" system bus also.
>
> But this has some problems :
> 1. Sending method calls or signals to another container may make security vulnerability.
> 2. It is impossible to send a signal to the container which only I want.
>
> I think this problems can be solved by using dbus policy.
>
> So, I made some dbus policies for the container to share the "outer" system bus.
> I'd like to suggest this "DBus namespace policy" you.
>
>
> * This will operate as follows :
>
> DBus namespace policy can know current namespace by reading /proc/[current PID]/cpuset.
>
> This has 3 targets. target means where to apply dbus policies.
> - private : current namespace only
> - protected : current namespace + child namespaces + parent namespaces
> - pulblic : all of namespacess
>
>
> * This priority is as follows :
> default < namespace < mandatory
>
>
> * This can be applied as follows :
>
> 1. If you want to send signals or method calls
> to outside of containers and container 1 from container 1,
> to outside of containers and container 2 from container 2,
> ......
> to outside of containers and container N from container N,
> to all of containers from outside of containers,
> Just put this in system bus configuration file.
>
> <policy namespace="protected">
>     <allow send_type="method_call"/>
>     <allow send_type="signal"/>
>     <allow send_requested_reply="true" send_type="method_return"/>
>     <allow send_requested_reply="true" send_type="error"/>
> </policy>
>
> 2. And if you want to send signals to specific container from outside of container.
> Just set "protected" and send signals in specific container by using lxc-attach
>
>
> How do you think this suggestion?
>
>
> Thanks,
> Best regards, Sungbae Yoo.
> _______________________________________________
> dbus mailing list
> dbus at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dbus

More information about the dbus mailing list