LXC should allow writting to /proc/sys/kernel/shm* as they are covered by the IPC namespace

Bug #1021411 reported by Stéphane Graber
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Wishlist
Stéphane Graber
Quantal
Fix Released
Undecided
Unassigned

Bug Description

Filing this bug based on discussion on lxc-devel and lxc-users where multiple people reported trying to increase shmmax and getting permission denied from apparmor.

After doing some more checks with Serge, it was confirmed that /proc/sys/kernel/shm* are part of the IPC namespace and won't affect the host. The only problem being a potential DOS of the host by filling /run/shm but that's a generic tmpfs problem that's present whether or not we allow writting to the shm control files.

[rational]
Multiple people expressed the need to change their IPC namespace settings in /proc/sys/kernel/shm*, these are currently denied by apparmor through a generic rule. After checking, these aren't considered dangerous and so should indeed be allowed.

[test case]
1) start a container
2) try to update /proc/sys/kernel/shmmax

2) should work, in the past it'd fail with ENOPERM

[regression potential]
The apparmor syntax was confirmed to be correct and was tested on quantal and precise, I can't think of any possible regression caused by this change to the apparmor profile. The only potential problem would be if some kernels were to expose shm* entries that aren't tied to the IPC namespace, but on the kernels I tried it on (stock Ubuntu kernels), that's not the case.

Changed in lxc (Ubuntu Quantal):
status: New → Fix Released
Changed in lxc (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Wishlist
assignee: nobody → Stéphane Graber (stgraber)
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Stéphane, or anyone else affected,

Accepted lxc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lxc/0.7.5-3ubuntu60 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lxc (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Stéphane Graber (stgraber) wrote :

Fix verified.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-3ubuntu60

---------------
lxc (0.7.5-3ubuntu60) precise-proposed; urgency=low

  * Update lxc-ubuntu template to use "dpkg --add-architecture" in containers
    running dpkg >= 1.16.2. (LP: #1017862)
  * Patch lxc-clone to stop messing with dhclient.conf when it contains a
    placeholder (<hostname> or gethostname()). Fixes cases where dpkg will
    prompt for modified config file on upgrade. (LP: #1021416)
  * Allow write access to /proc/sys/kernel/shm* as these are namespaced (IPC).
    (LP: #1021411)
  * Allow fstype=fuse.*, for all containers. (LP: #1021421)
  * Rebase lxc-list on quantal's, properly shows FROZEN containers and prints
    error messages on stderr. (LP: #1021429)
  * Only run dh_apparmor against the lxc package. (LP: #1021428)
  * Depend on adduser as it's being used in postinst.
  * Fix lintian-overrides syntax.
 -- Stephane Graber <email address hidden> Thu, 05 Jul 2012 12:18:47 -0400

Changed in lxc (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.