[SOLVED] dmesg outside VM

[Andrii]

I run the command 'dmesg' into the VM 101 and can see the logs for VM 108. Why this is possible?

 

[fabian]

that is not a VM, it is a container - and containers share a kernel (including the kernel's dmesg facility). you can disable access for non-root users (and thus also for unprivileged containers) by setting the sysctl kernel.dmesg_restrict to 1

 

[Andrii]

that is not a VM, it is a container

Yes, I know that.

But I think that it is possible like on OpenVZ. Very sad ((

 

[Andrii]

And

sysctl -w kernel.dmesg_restrict=1

does not help for root into unprivileged container.

 

[fabian]

should work - please verify that you set the sysctl correctly (and that you are actually testing with an unpriv. container!)

$ echo 0 | sudo tee /proc/sys/kernel/dmesg_restrict
0
$ sudo pct enter 123
root@unprivtest:/# dmesg | head -3
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
root@unprivtest:/# exit

$ echo 1 | sudo tee /proc/sys/kernel/dmesg_restrict
1
$ sudo pct enter 123
root@unprivtest:/# dmesg | head -3
dmesg: read kernel buffer failed: Operation not permitted
root@unprivtest:/# exit

 

[Andrii]

Yes. It was my mistake. The container was not unprivileged.

 

[Andrii]

Is there a some way to prevent it for non-unprivileged containers?

 

[Andrii]

Found the solution
Need to add syslog errno 1 into /usr/share/lxc/config/common.seccomp