dbus and Linux Containers
kmpark at infradead.org
Mon Apr 6 23:44:54 PDT 2015
+ adding Simon.
it's another approach. any comments?
On Fri, Apr 3, 2015 at 11:35 AM, Sungbae Yoo <sungbae.yoo at samsung.com> wrote:
> I want the container to share the "outer" system bus also.
> But this has some problems :
> 1. Sending method calls or signals to another container may make security vulnerability.
> 2. It is impossible to send a signal to the container which only I want.
> I think this problems can be solved by using dbus policy.
> So, I made some dbus policies for the container to share the "outer" system bus.
> I'd like to suggest this "DBus namespace policy" you.
> * This will operate as follows :
> DBus namespace policy can know current namespace by reading /proc/[current PID]/cpuset.
> This has 3 targets. target means where to apply dbus policies.
> - private : current namespace only
> - protected : current namespace + child namespaces + parent namespaces
> - pulblic : all of namespacess
> * This priority is as follows :
> default < namespace < mandatory
> * This can be applied as follows :
> 1. If you want to send signals or method calls
> to outside of containers and container 1 from container 1,
> to outside of containers and container 2 from container 2,
> to outside of containers and container N from container N,
> to all of containers from outside of containers,
> Just put this in system bus configuration file.
> <policy namespace="protected">
> <allow send_type="method_call"/>
> <allow send_type="signal"/>
> <allow send_requested_reply="true" send_type="method_return"/>
> <allow send_requested_reply="true" send_type="error"/>
> 2. And if you want to send signals to specific container from outside of container.
> Just set "protected" and send signals in specific container by using lxc-attach
> How do you think this suggestion?
> Best regards, Sungbae Yoo.
> dbus mailing list
> dbus at lists.freedesktop.org
More information about the dbus