[Bug 1021411] [NEW] LXC should allow writting to /proc/sys/kernel/shm* as they are covered by the IPC namespace

Stéphane Graber stgraber at stgraber.org
Thu Jul 5 17:55:55 UTC 2012 

Public bug reported:

Filing this bug based on discussion on lxc-devel and lxc-users where
multiple people reported trying to increase shmmax and getting
permission denied from apparmor.

After doing some more checks with Serge, it was confirmed that
/proc/sys/kernel/shm* are part of the IPC namespace and won't affect the
host. The only problem being a potential DOS of the host by filling
/run/shm but that's a generic tmpfs problem that's present whether or
not we allow writting to the shm control files.

[rational]
Multiple people expressed the need to change their IPC namespace settings in /proc/sys/kernel/shm*, these are currently denied by apparmor through a generic rule. After checking, these aren't considered dangerous and so should indeed be allowed.

[test case]
1) start a container
2) try to update /proc/sys/kernel/shmmax

2) should work, in the past it'd fail with ENOPERM

[regression potential]
The apparmor syntax was confirmed to be correct and was tested on quantal and precise, I can't think of any possible regression caused by this change to the apparmor profile. The only potential problem would be if some kernels were to expose shm* entries that aren't tied to the IPC namespace, but on the kernels I tried it on (stock Ubuntu kernels), that's not the case.

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: lxc (Ubuntu Precise)
     Importance: Wishlist
     Assignee: Stéphane Graber (stgraber)
         Status: In Progress

** Affects: lxc (Ubuntu Quantal)
     Importance: Undecided
         Status: Fix Released

** Also affects: lxc (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: lxc (Ubuntu Quantal)
   Importance: Undecided
       Status: New

** Changed in: lxc (Ubuntu Quantal)
       Status: New => Fix Released

** Changed in: lxc (Ubuntu Precise)
       Status: New => In Progress

** Changed in: lxc (Ubuntu Precise)
   Importance: Undecided => Wishlist

** Changed in: lxc (Ubuntu Precise)
     Assignee: (unassigned) => Stéphane Graber (stgraber)

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1021411

Title:
  LXC should allow writting to /proc/sys/kernel/shm* as they are covered
  by the IPC namespace

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1021411/+subscriptions

More information about the Ubuntu-server-bugs mailing list