* Re: [PVE-User] systemd-logind.service (Piviul)
@ 2022-09-09 10:58 Kalpesh Sejpal
0 siblings, 0 replies; only message in thread
From: Kalpesh Sejpal @ 2022-09-09 10:58 UTC (permalink / raw)
To: pve-user
Hi Piviul,
Using it with unprivileged containers it doesn't have any security risks.
AppArmor profile for nesting flag is
# /etc/apparmor.d/lxc/lxc-default-cgns-with-nesting
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
deny /dev/.lxc/proc/** rw,
deny /dev/.lxc/sys/** rw,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=proc -> /var/cache/lxc/**,
mount fstype=sysfs -> /var/cache/lxc/**,
mount options=(rw,bind),
}
But with privileged contains with nesting Flag can modify sys/** and
proc/** of other containers, which can be disastrous.
Regards,
Kalpesh Sejpal
On Fri, 9 Sep, 2022, 3:30 pm , <pve-user-request@lists.proxmox.com> wrote:
> Send pve-user mailing list submissions to
> pve-user@lists.proxmox.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> or, via email, send a message with subject or body 'help' to
> pve-user-request@lists.proxmox.com
>
> You can reach the person managing the list at
> pve-user-owner@lists.proxmox.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of pve-user digest..."
>
>
> Today's Topics:
>
> 1. Re: systemd-logind.service (Piviul)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 8 Sep 2022 11:58:51 +0200
> From: Piviul <piviul@riminilug.it>
> To: pve-user@lists.proxmox.com
> Subject: Re: [PVE-User] systemd-logind.service
> Message-ID: <b520b36f-a052-4356-285e-334bc3945a71@riminilug.it>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 05/09/22 12:27, Kalpesh Sejpal wrote:
> > Hi,
> >
> > It's better to enable features Flag nesting=1 for each LXC container with
> > that error.
> >
> > Please, check security conserns before changing it.
> >
> > If you can't do that then another alternative it to mask systemd-logind
> > service.
>
> Hi Kalpesh, thank you very much. In effect both solution seems to work.
> There are security risk to set nesting flag on unprivileged container?
>
> Piviul
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> pve-user mailing list
> pve-user@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
> ------------------------------
>
> End of pve-user Digest, Vol 174, Issue 4
> ****************************************
>
>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-09-09 10:59 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-09 10:58 [PVE-User] systemd-logind.service (Piviul) Kalpesh Sejpal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.