LXC as a desktop sandbox... Help?

[GJones]

I'm thinking of using LXC for desktop and home server sandboxing purposes - it's not that secure, IIRC, but I think it should be secure enough for home use if set up right.

Unfortunately, 'lxc-execute' does not seem to set it up right. If I create an LXC named "foo" and run 'lxc-execute -n foo /bin/bash", what I get appears equivalent to the whole root filesystem being mounted -o rbind,rw in the container. If I su to my user account, I see the entire contents of the account's home directory; if I create a file there, it shows up in the real home directory, and if I delete one, it gets deleted in the real home directory. Everyhing is read-write and suid binaries are still suid... In short, it looks like this is a good deal less protection than I would get from something like this:

Code: Select all

for x in lib bin sbin usr etc dev proc sys var tmp; do
    mkdir -p /sandbox/$x
    mount --rbind /$x /sandbox/$x
    mount -o remount,ro,nosuid /sandbox/$x
done

mkdir -p /sandbox/home/username
chown username:users /sandbox/home/username
cp /home/username/.Xauthority /sandbox/home/username

chroot --userspec=username /sandbox /bin/bash

Am I missing something? How can I tweak Linux containers to limit the access of users in the container to system resources, and to the contents of their normal home directories? Am I barking up the wrong tree here?

[fredg]

Hi,

I'm not really understand how you have setup yur LXC.

Did you use the salix-lxc ?
http://www.salixos.org/forum/viewtopic. ... 86&p=22045

It is a template that will install a complete salix core system in a linux container, which is btw very secure by design
There is another link if you don't want a full salix core system to install a very light slackware system.
There are some links too that are worth reading if you want to learn a bit about lxc.

++

[GJones]

Ah, no, I'm basically trying to do with LXC what sandfox or schroot does with a normal chroot...

Anyway I think I figured it out... I need to create an lxc.conf file. Duh! Quoth the lxc.conf man page:

lxc.rootfs
specify the root file system for the container. It can be an
image file, a directory or a block device. If not specified, the
container shares its root file system with the host.

So if you don't give it any configuration, it won't do any filesystem isolation.

[GJones]

Ugh, this is rather complicated...

To test things, I created a directory with the following contents:

Code: Select all

$ ls /mnt/lxc
bin  dev  etc  lib  proc  sbin  usr

And the following as /etc/lxc.conf:

Code: Select all

lxc.rootfs=/mnt/lxc
lxc.mount=/etc/lxc.fstab

And the following as /etc/lxc.fstab:

Code: Select all

/lib /mnt/lxc/lib none ro,bind,nosuid 0 0
/bin /mnt/lxc/bin none ro,bind,nosuid 0 0
/sbin /mnt/lxc/sbin none ro,bind,nosuid 0 0
/usr /mnt/lxc/usr none ro,bind,nosuid 0 0
/etc /mnt/lxc/etc none ro,bind,nosuid 0 0

And this is what happens:

Code: Select all

~# lxc-create -n foo -f /etc/lxc.conf
'foo' created
~# lxc-execute -n foo /bin/bash
/#

Okay fine. I start typing and...

Code: Select all

/# lxc-execute: Input/output error - failed to read

Following which nothing I type shows up. What's this about?

[fredg]

lxc-execute is for running an application, I hope that you don't really run foo
If you want to enter to a container and run some commands you need to run lxc-start.
http://lxc.sourceforge.net/man/lxc.html

++

[GJones]

Thanks, still clearly doing something wrong here though:

Code: Select all

~# lxc-start -n foo -f /etc/lxc.conf /bin/bash
/# lxc-start: Input/output error - failed to read

'lxc-start -n foo /bin/bash' works fine, as it should, but again performs no filesystem isolation at all.

[fredg]

Do you have cgroup enable ?
And, I do not see something in your /dev container.
Maybe check the template to see how it is make if you don't want to use one.

++

[GJones]

Got cgroups enabled. You're right about /dev, but mounting that doesn't change anything. Weird.

Re templates, aren't those for when you want to create a whole new system? Also, all the example config files seem to be concerned with networking stuff as opposed to filesystem restrictions.

[fredg]

I think that your LXC has trouble because there's nothing to start.
If you want to start an app (lxc-execute) you have to first install this app into it.
If you want to run a minimal system (lxc-start) you have to install a minimal system first too.

Re templates, aren't those for when you want to create a whole new system?

Template are there to easily build a LXC.
What you have done as making dirs, mounting dirs, ... can be written in a file and then it will be called a template.
It's just to automate things.

Check the sshd one ( /usr/lib/lxc(64)/templates/lxc-sshd ), it's the lighter one, you only got a container on which you can run SSH. So, you will got the basic stuff to run one.

For networking, I think that it's important, it's the only way for a container to access an internal network, and then if you want, the net (bridge, nat, ...). Even if you are not going to use it it's good to do the setup.

Even on a simple chroot system you have to install first what you want to use.
Remember that LXC is more than a chroot, it is described as “chroot on steroids”

++