LXC privilege level?

[madsmao]

I'm up and running with PVE v4.1, and I rather like it so far. However, I ran into a little security snag with LXC today, and that made med start to dig a bit more into LXC security, but first the problem that triggered it all.

The problem is that you can view the complete output of the host dmesg from within an LXC guest. I tried the following to no avail:

nano /etc/sysctl.conf
# Add to bottom of file
kernel.dmesg_restrict=1

And then I ran "sysctl -p" to apply the new setting. Sadly, dmesg output still visible from within my guest.

I did some further digging and discovered that this might be related to LXC privilege level, but since I am new to LXC I'm not familiar with this concept. That can be remedied of course, but in the meantime I would like to ask for any and all input I can get in regards to securing LXC in the context of Proxmox. Ideally, I want my LXC guest users to have as much freedom as possible, but without being able to sabotage things for other LXC guests, and certainly without being able to fiddle with the host.

 

[wbumiller]

dmesg_restrict:

(...) When dmesg_restrict is set set to (1), users must have
CAP_SYSLOG to use dmesg(8).

To disable this you need to set this sysctl to 1 and remove CAP_SYSLOG from the container's capability set. However there's a chance this is too restrictive for some services. Feel free to test:

# /etc/pve/lxc/$vmid.conf add:
lxc.cap.drop: syslog

 

[madsmao]

Thanks for your input Wolfgang. I will try your suggestion and see how it affects the guests.

And yes, we do have a commercial support subscription for all our 5 nodes. It's the basic community version, but still happy to be able to support this great product.

 

[ghusson]

madsmao : can you give your feedback concerning your tests with "lxc.cap.drop: syslog" and side effects please ? I find this very interesting.
Thank you.

 

[madsmao]

madsmao : can you give your feedback concerning your tests with "lxc.cap.drop: syslog" and side effects please ?

Well, I honestly haven't done very comprehensive testing, so not much info I can share. The setting has worked fine for the containers where I implemented it, but that's not to say that it will work in all situations. There are rather a lot of tweaks you can to do the settings, and I would like to come up with a nice set of defaults, but I haven't arrived at anything I'm comfortable with yet.

 

[ghusson]

Ok, thanks anyway for your answer .

 

[Pro122]

# /etc/pve/lxc/$vmid.conf add:
lxc.cap.drop: syslog

cat /etc/pve/lxc/301.conf
#VM from module ProxmoxVPS For WHMCS
arch: amd64
cpulimit: 2
cpuunits: 8
hostname: xxxx
memory: 1024
nameserver: 8.8.8.8 8.8.8.8
net0: bridge=vmbr0,gw=xxx hwaddr=36:36:33:61:65:39,ip=185.70.184.151/24,name=eth0,type=veth
onboot: 1
ostype: ubuntu
rootfs: local:301/vm-xxx-disk-1.raw,size=10G
swap: 1024
lxc.cap.drop: syslog



lxc-attach -n 301
root@vds02376:~# dmesg | head -5
[239642.512417] [30901] 0 30901 22007 591 44 3 4856 0 tailwatchd
[239642.512419] [24460] 99 24460 19572 247 40 3 504 0 httpd
[239642.512426] [11590] 0 11590 22008 626 46 3 4839 0 tailwatchd
[239642.512427] [13753] 0 13753 21985 624 44 3 4839 0 tailwatchd
[239642.512430] [34248] 99 34248 19541 454 40 3 432 0 httpd


Linux 4.2.6-1-pve #1 SMP Thu Jan 28 11:25:08 CET 2016 x86_64 GNU/Linux

its now work , Please help me

 

[Pro122]

# /etc/pve/lxc/$vmid.conf add:
lxc.cap.drop: syslog

cat /etc/pve/lxc/301.conf
#VM from module ProxmoxVPS For WHMCS
arch: amd64
cpulimit: 2
cpuunits: 8
hostname: xxxx
memory: 1024
nameserver: 8.8.8.8 8.8.8.8
net0: bridge=vmbr0,gw=xxx hwaddr=36:36:33:61:65:39,ip=185.70.184.151/24,name=eth0,type=veth
onboot: 1
ostype: ubuntu
rootfs: local:301/vm-xxx-disk-1.raw,size=10G
swap: 1024
lxc.cap.drop: syslog



lxc-attach -n 301
root@vds02376:~# dmesg | head -5
[239642.512417] [30901] 0 30901 22007 591 44 3 4856 0 tailwatchd
[239642.512419] [24460] 99 24460 19572 247 40 3 504 0 httpd
[239642.512426] [11590] 0 11590 22008 626 46 3 4839 0 tailwatchd
[239642.512427] [13753] 0 13753 21985 624 44 3 4839 0 tailwatchd
[239642.512430] [34248] 99 34248 19541 454 40 3 432 0 httpd


Linux 4.2.6-1-pve #1 SMP Thu Jan 28 11:25:08 CET 2016 x86_64 GNU/Linux

its now work , Please help me

 

[pmlearner]

Has this changed any? My lxc instances can read dmesg from the host and also clear dmesg. I need to have lxc such that a compromised lxc cannot clear dmesg on the host. Any ideas?