You are not logged in.

#1 2016-04-22 01:30:03

Auch999
Member
Registered: 2016-02-28
Posts: 13

LXC: /usr/bin/firefox opens a new firefox window outside of container

Can someone please explain this weird behaviour to me:

I have an unpriviliged LXC container with firefox inside.

If firefox is running on the host, /usr/bin/firefox inside the container launches a new firefox window on the host with the UID of the host user. (wtf)

If firefox is NOT running outside of the container, /usr/bin/firefox inside the container launches firefox with the UID of the container user, like it should be.

the reverse is also true:

If firefox is running inside the container (but not on the host), and firefox is started on the host, the firefox which is started has the UID of the container user.

?!?! How is that ?!?!

EDIT: Confirmed that this is happening with a standard upriviliged ubuntu container as well.

$ uname -r
4.6.0-rc4-customGIT+

# not that it matters --- the same thing happens on a modified arch 4.5 stock kernel too (user namespaces enabled, checkpoint restore enabled)

$ lxc-checkconfig

--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
Bridges: enabled
Advanced netfilter: enabled
CONFIG_NF_NAT_IPV4: enabled
CONFIG_NF_NAT_IPV6: enabled
CONFIG_IP_NF_TARGET_MASQUERADE: enabled
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled
FUSE (for use with lxcfs): enabled

--- Checkpoint/Restore ---
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities: enabled

config file:

lxc.devttydir = lxc 
lxc.pts = 1024
lxc.tty = 4 
lxc.cap.drop = mac_admin mac_override sys_time sys_module
lxc.pivotdir = lxc_putold
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname
lxc.cgroup.devices.deny = a 
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm 
lxc.cgroup.devices.allow = c 1:5 rwm 
lxc.cgroup.devices.allow = c 1:7 rwm 
lxc.cgroup.devices.allow = c 5:0 rwm 
lxc.cgroup.devices.allow = c 5:1 rwm 
lxc.cgroup.devices.allow = c 5:2 rwm 
lxc.cgroup.devices.allow = c 1:8 rwm 
lxc.cgroup.devices.allow = c 1:9 rwm 
lxc.cgroup.devices.allow = c 136:* rwm 
lxc.cgroup.devices.allow = c 10:229 rwm 
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook
lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none bind,optional 0 0 
lxc.mount.entry = /sys/kernel/security sys/kernel/security none bind,optional 0 0 
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 
lxc.mount.entry = mqueue dev/mqueue mqueue rw,relatime,create=dir,optional 0 0 
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:200 rwm 
lxc.cgroup.devices.allow = c 10:228 rwm 
lxc.cgroup.devices.allow = c 10:232 rwm 
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.devttydir =
lxc.mount.entry = /dev/console dev/console none bind,create=file 0 0 
lxc.mount.entry = /dev/full dev/full none bind,create=file 0 0 
lxc.mount.entry = /dev/null dev/null none bind,create=file 0 0 
lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0 
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0 
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0 
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0 
lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0 
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0 
lxc.arch = x86_64
lxc.cgroup.devices.allow = c 226:* rwm 
lxc.mount.entry = tmpfs tmp tmpfs defaults
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0
lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash'

stackexchange: https://unix.stackexchange.com/question … -container

Last edited by Auch999 (2016-04-22 13:26:24)

Offline

#2 2016-04-22 13:27:39

ataraxia
Member
From: Pittsburgh
Registered: 2007-05-06
Posts: 1,553

Re: LXC: /usr/bin/firefox opens a new firefox window outside of container

It's a special firefox "feature" to do that. I think it uses some property of the root X window to do it, not sure. In any case, you can disable it by doing "firefox --no-remote" in your container.

Offline

#3 2016-04-22 13:33:31

Auch999
Member
Registered: 2016-02-28
Posts: 13

Re: LXC: /usr/bin/firefox opens a new firefox window outside of container

Does this mean, that this behavior's cause is in bind mounting the x11 socket into the container (see above config file)?

...
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none ro,bind,create=dir 0 0
....

Last edited by Auch999 (2016-04-22 13:33:46)

Offline

#4 2016-04-22 19:14:09

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,643
Website

Re: LXC: /usr/bin/firefox opens a new firefox window outside of container

How are you launching the containerized firefox?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2016-04-23 19:41:02

Auch999
Member
Registered: 2016-02-28
Posts: 13

Re: LXC: /usr/bin/firefox opens a new firefox window outside of container

graysky wrote:

How are you launching the containerized firefox?

lxc-start -n c1 -F -f /path/to/above/conf -s 'lxc.id_map = u 0 100000 65536' -s 'lxc.id_map = g 0 100000 65536' -s 'lxc.rootfs = /path/to/rootfs' -s 'lxc.init_cmd = /usr/bin/bash'

then in the container bash prompt, I type

# /usr/bin/firefox


The -no-remote option is working ...  but I think it is undesireable, that any containerized program can possibly send some (X) notification to another program on the host.

Is it possible to forbid this? (best would be to somehow forbid this in container configuration, if this is impossible second best would be to forbid this in host configuration)

Last edited by Auch999 (2016-04-23 19:43:31)

Offline

#6 2016-04-23 21:38:53

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,643
Website

Re: LXC: /usr/bin/firefox opens a new firefox window outside of container

Try something for me:
1) Start the lxc container and install sshd in the container if you haven't done this already.
2) From the host: xhost +SI:localuser:yourusernamehere && ssh lxccontainer
3) (From the container): DISPLAY=:0 firefox


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

Board footer

Powered by FluxBB