[systemd-devel] Improving systemd-nspawn at .service (container dir/nonpersistant journal)

Lennart Poettering lennart at poettering.net
Thu Nov 20 15:36:19 PST 2014


On Thu, 20.11.14 14:48, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> > Sounds resonable. But first, can you elaborate on the reason for 0700
> > rather than 0755?
> 
> Mostly so that users on the host can't call suid root binaries in the
> container. If containers are restricted with selinux/apparmor or
> started as user (both happens in Ubuntu for LXC, for example) this
> would open a way to escalate root privs in a container into root privs
> on the host. https://launchpad.net/bugs/1244635 has the
> details/history of this.
> 
> I know that upstream systemd doesn't ship AppArmor/SELinux profiles,
> and thus your stanza is that containers are inherently insecure. So if
> you aren't convinced by the calling of suid root binaries, 0755 is
> also ok for upstream, or we just skip this part entirely (it's really
> just a small detail, after all).
> 
> Patch attached.

OK, applied. Thanks.

> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
> index c2311b3..5a80cf2 100644
> --- a/src/nspawn/nspawn.c
> +++ b/src/nspawn/nspawn.c
> @@ -124,6 +124,7 @@ static bool arg_private_network = false;
>  static bool arg_read_only = false;
>  static bool arg_boot = false;
>  static LinkJournal arg_link_journal = LINK_AUTO;
> +static bool link_journal_try = false;

So far we prefixed all variables parsed from command line arguments
with "arg_", please follow the same scheme for this.

Otherwise looks great!

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list