On 1/17/19 11:39 AM, Stephen Smalley wrote:

On 1/17/19 11:15 AM, Tejun Heo wrote:

quoted

Hello,

On Thu, Jan 17, 2019 at 10:01:23AM -0500, Daniel Walsh wrote:

quoted

The above comment is correct.  We want to be able to run a container
where we hand it control over a limited subdir of the cgroups hierachy.
We can currently do this and label the content correctly, but when
subdirs of the directory get created by processes inside the container
they do not get the correct label.  For example we add a label like
system_u:object_r:container_file_t:s0 to a directory but when the
process inside of the container creates a fd within this directory the
kernel says the label is the default label for cgroups
system_u:object_r:cgroup_t:s0.  This forces us to write looser policy
that from an SELinux point of view allows a process within the
container
to write anywhere on the cgroup file system, rather then just the
designated directories.

Can you please go into a bit more details on why the existing
cgroup delegation model isn't enough?

I would hazard a guess that it is because the existing cgroup
delegation model is based on user IDs and discretionary access control
(DAC), whereas they are using per-container SELinux security contexts
and mandatory access control (MAC) to enforce the separation of
containers irrespective of UID and DAC.  Optimally both would be
supported by cgroup, as DAC and MAC have different properties and use
cases.

As Steven said, existing model is DAC.  We have the situation where we
have a "root" process running within a container that is not using User
Namespace.  I want to control that that root process can not write to
anywhere within the cgroup hierarchy based on SELinux controls.   This
is security in depth.  If other mechanisms prevent the process from
writing to other places in cgroups that is great, but I want it also
secured from a MAC Point of view.