On Fri, Aug 01, 2014 at 06:26:03AM -0400, Daniel J Walsh wrote:
We have kicked around the idea of a "Super Priv container"
where you
could switch to a limited number of namespaces.
If the number of namespaces we want to support switching to is limited and --privileged
containers run with a different type (docker_t) from others (svirt_lxc_net_t), do you
really need upstream Docker support? Terrible idea: couldn't we take the same approach
we do with service and have an executable for each namespace we want? These "entry
points" only purpose would be to provide a transition point from docker_t? Combined
with:
-v /var/..:/host --net="host"
such a container would only have to know to where to expect the mount point and the
directory of "namespace entry points".
Taking this approach, I was able to get a container with an unmunged network, access to
the host /, and able to spawn processes running as unconfined_t. That (or less) seems
sufficient for cockpit given a few modifications.
Granted, real --namespace-add and --namespace-drop support would be less of a sin against
god and man... but this would allow for experimentation right now.
_Trevor
--
Sent from my Amiga 500.
(Trevor Jay) Red Hat Product Security
gpg-key:
https://ssl.montrose.is/chat/gpg-key