LXC should allow writting to /proc/sys/kernel/shm* as they are covered by the IPC namespace

Bug #1021411 reported by Stéphane Graber
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Stéphane Graber

Bug Description

Filing this bug based on discussion on lxc-devel and lxc-users where multiple people reported trying to increase shmmax and getting permission denied from apparmor.

After doing some more checks with Serge, it was confirmed that /proc/sys/kernel/shm* are part of the IPC namespace and won't affect the host. The only problem being a potential DOS of the host by filling /run/shm but that's a generic tmpfs problem that's present whether or not we allow writting to the shm control files.

Multiple people expressed the need to change their IPC namespace settings in /proc/sys/kernel/shm*, these are currently denied by apparmor through a generic rule. After checking, these aren't considered dangerous and so should indeed be allowed.

[test case]
1) start a container
2) try to update /proc/sys/kernel/shmmax

2) should work, in the past it'd fail with ENOPERM

[regression potential]
The apparmor syntax was confirmed to be correct and was tested on quantal and precise, I can't think of any possible regression caused by this change to the apparmor profile. The only potential problem would be if some kernels were to expose shm* entries that aren't tied to the IPC namespace, but on the kernels I tried it on (stock Ubuntu kernels), that's not the case.

Changed in lxc (Ubuntu Quantal):
status: New → Fix Released
Changed in lxc (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Wishlist
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Stéphane, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu60 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Fix verified.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu60

lxc (0.7.5-3ubuntu60) precise-proposed; urgency=low

  * Update lxc-ubuntu template to use "dpkg --add-architecture" in containers
    running dpkg >= 1.16.2. (LP: #1017862)
  * Patch lxc-clone to stop messing with dhclient.conf when it contains a
    placeholder (<hostname> or gethostname()). Fixes cases where dpkg will
    prompt for modified config file on upgrade. (LP: #1021416)
  * Allow write access to /proc/sys/kernel/shm* as these are namespaced (IPC).
    (LP: #1021411)
  * Allow fstype=fuse.*, for all containers. (LP: #1021421)
  * Rebase lxc-list on quantal's, properly shows FROZEN containers and prints
    error messages on stderr. (LP: #1021429)
  * Only run dh_apparmor against the lxc package. (LP: #1021428)
  * Depend on adduser as it's being used in postinst.
  * Fix lintian-overrides syntax.
 -- Stephane Graber <email address hidden> Thu, 05 Jul 2012 12:18:47 -0400

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers