Page 1 of 1

grsec 3.13.5 & lxc 1.0.0 user namespace containers

PostPosted: Wed Feb 26, 2014 3:23 am
by andyj
I am trying to use lxc 1.0.0's new support for user namespaces to run an unprivileged container. It appears that the grsec patch is somehow blocking a syscall to unshare from within a docker lxc container.

This setup works with vanilla 3.13.5 kernel and after switching to grsec kernel it won't run the same container or even generate the rootfs for lxc.

The setup I am running is a little strange, unprivileged lxc container nested within a privileged docker container. (I am nesting the unprivileged lxc container within the docker lxc container to use the lxc provided tools in their .deb that is pre-built for ubuntu 14.04. Running gentoo and don't trust that my patched shadow/pam wasn't causing problems so I did this to remove that from possible issue) As odd as it may be it works fine on vanilla, hopefully this can be done on grsec as well.

error message inside of docker container trying to create the nested lxc rootfs (the WARN: about repoening tty is in both vanilla and grsec kernel)

features disabled in sysctl:
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_chmod = 0
kernel.grsecurity.chroot_deny_pivot = 0
kernel.grsecurity.chroot_deny_chroot = 0
kernel.grsecurity.chroot_deny_mount = 0

kernel config:

uname -r:

grsecurity patch version:

gentoo-hardened (running + grsecurity patch instead of hardened-sources atm)

strace -f for lxc-create that fails above:

Is there something I could change in my configuration to get this working?

If you need I can push my dockerfiles to and provide instructions to recreate the exact situation I am running into.

If there is any other debug information I could provide that would be helpful just let me know

Thanks all the hard work on a great kernel patch set! Hopefully this is just something simple I'm not seeing.


Re: grsec 3.13.5 & lxc 1.0.0 user namespace containers

PostPosted: Wed Feb 26, 2014 8:23 am
by spender

grsecurity disallows unprivileged use of user namespaces. If you want to use them despite numerous vulnerabilities they've introduced to date, remove the patch from kernel/user_namespace.c:create_user_ns() at your own risk.


Re: grsec 3.13.5 & lxc 1.0.0 user namespace containers

PostPosted: Wed Feb 26, 2014 3:10 pm
by andyj
I defer to your better judgement. :D

Maybe I'll try user namespace containers again when lxc fixes support for launching unprivileged containers from root. (looks like lxc 1.0.1, ... devel/7207)