grsecurity forums


http://forums.grsecurity.net./

LXC system initialization (exec of /sbin/init denied)

http://forums.grsecurity.net./viewtopic.php?f=5&t=4102

Page 1 of 1

LXC system initialization (exec of /sbin/init denied)

PostPosted: Sun Dec 14, 2014 2:56 pm
by trupanka
Hi.
I try to run lxc-start on RBAC-enabled system with special role.
In learning mode lxc-container starts and works.
But with `gradm -E` and auto generated config (https://dpaste.de/zHNS/raw)
I got the /sbin/init denied message in kernel log's.
Code: Select all
Dec 14 20:29:43 hellstation kernel: grsec: (root:U:/sbin/gradm) exec of /sbin/gradm (gradm -a lxc ) by /sbin/gradm[bash:18327] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:45 hellstation kernel: grsec: (root:U:/sbin/gradm) successful change to special role lxc (id 40) by /sbin/gradm[gradm:18327] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/usr/sbin/lxc-start) exec of /usr/sbin/lxc-start (lxc-start -n server ) by /usr/sbin/lxc-start[bash:18328] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:11348] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: IPv6: ADDRCONF(NETDEV_UP): server0: link is not ready
Dec 14 20:29:48 hellstation kernel: IPv6: ADDRCONF(NETDEV_UP): server1: link is not ready
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /bin/bash (sh -c /etc/lxc/server/if-up.sh server net up veth server1 ) by /bin/bash[lxc-start:18332] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /etc/lxc/server/if-up.sh (/etc/lxc/server/if-up.sh server net up veth server1 ) by /etc/lxc/server/if-up.sh[sh:18332] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/sbin/brctl) exec of /sbin/brctl (brctl addif br0 server0 ) by /sbin/brctl[if-up.sh:18337] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: device server0 entered promiscuous mode
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/ifconfig) exec of /bin/ifconfig (ifconfig server0 up ) by /bin/ifconfig[if-up.sh:18338] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/sbin/brctl) exec of /sbin/brctl (brctl addif br1 server1 ) by /sbin/brctl[if-up.sh:18340] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: device server1 entered promiscuous mode
Dec 14 20:29:48 hellstation kernel: br1: port 1(server1) entered forwarding state
Dec 14 20:29:48 hellstation kernel: br1: port 1(server1) entered forwarding state
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/ifconfig) exec of /bin/ifconfig (ifconfig server1 up ) by /bin/ifconfig[if-up.sh:18341] uid/euid:0/0 gid/egid:0/0, parent /etc/lxc/server/if-up.sh[if-up.sh:18332] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/bin/bash) exec of /bin/bash (sh -c zfs list 2> /dev/null ) by /bin/bash[lxc-start:18350] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18346] uid/euid:0/0 gid/egid:0/0
Dec 14 20:29:48 hellstation kernel: eth0: renamed from vethAJGVV4
Dec 14 20:29:48 hellstation kernel: eth1: renamed from veth1HYV91
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-32): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-33): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: EXT4-fs (dm-34): mounted filesystem with ordered data mode. Opts: (null)
Dec 14 20:29:48 hellstation kernel: grsec: (lxc:S:/usr/sbin/lxc-start) [b]denied execution of /sbin/init[/b] by /usr/sbin/lxc-start[lxc-start:18346] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/lxc-start[lxc-start:18328] uid/euid:0/0 gid/egid:0/0

Re: LXC system initialization (exec of /sbin/init denied)

PostPosted: Sun Dec 14, 2014 9:20 pm
by spender
You're mounting filesystems with RBAC enabled -- this isn't a supported use-case. Other than that, there might also be mount namespaces in use which also are currently unsupported.

-Brad

Re: LXC system initialization (exec of /sbin/init denied)

PostPosted: Mon Dec 15, 2014 3:03 am
by trupanka
spender wrote:You're mounting filesystems with RBAC enabled -- this isn't a supported use-case. Other than that, there might also be mount namespaces in use which also are currently unsupported.

-Brad


I think it's the first issue. I'll try to run lxc with pre-mounted rootfs image.
Thank you.

Re: LXC system initialization (exec of /sbin/init denied)

PostPosted: Mon Dec 15, 2014 12:18 pm
by trupanka
I'll try to run lxc with pre-mounted rootfs image.


That didn't make sense (pivoted dir not seen by RBAC anyway).
LXC supports apparmor and SELinux.
May be I'll try to combine grsec RBAC for the host and AppArmor for containers.
But I'm not shure whether it improves security...
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/