Make "xt_qtaguid" available to container

Hi,

I am working LXC 2.0.9 and running simple busybox rootfs in it, on my custom hardware.
I am trying to pass network configuration interface “/proc/net/xt_qtaguid/*” to my container. However I am not seeing it inside container even if I auto mount “proc:rw” for container or pass “/dev/xt_qtaguid” to container.

Can you please provide some suggestion on how can I make these interface files available to container ?

lxc-start --version

2.0.9

uname -r

4.9.135+

lxc-checkconfig

— Namespaces —
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
newuidmap is not installed
newgidmap is not installed
Network namespace: enabled

— Control groups —
Cgroups: enabled

Cgroup v1 mount points:
/sys/fs/cgroup/systemd
/sys/fs/cgroup/devices
/sys/fs/cgroup/memory
/sys/fs/cgroup/cpu
/sys/fs/cgroup/cpuset
/sys/fs/cgroup/cpuacct
/sys/fs/cgroup/pids
/sys/fs/cgroup/hugetlb
/sys/fs/cgroup/debug
/sys/fs/cgroup/freezer

Cgroup v2 mount points:

Cgroup v1 clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

— Misc —
Veth pair device: enabled, not loaded
Macvlan: enabled, not loaded
Vlan: enabled, not loaded
Bridges: enabled, not loaded
Advanced netfilter: enabled, not loaded
CONFIG_NF_NAT_IPV4: enabled, not loaded
CONFIG_NF_NAT_IPV6: enabled, not loaded
CONFIG_IP_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_IP6_NF_TARGET_MASQUERADE: enabled, not loaded
CONFIG_NETFILTER_XT_TARGET_CHECKSUM: enabled, not loaded
CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled, not loaded
FUSE (for use with lxcfs): enabled, not loaded

— Checkpoint/Restore —
checkpoint restore: enabled
CONFIG_FHANDLE: enabled
CONFIG_EVENTFD: enabled
CONFIG_EPOLL: enabled
CONFIG_UNIX_DIAG: enabled
CONFIG_INET_DIAG: enabled
CONFIG_PACKET_DIAG: enabled
CONFIG_NETLINK_DIAG: enabled
File capabilities:

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig

lxc config file (Using minimum config)

lxc.rootfs.path = /home/Ubuntu/rootfs
lxc.utsname = “mybusybox”
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
#lxc.mount.auto = proc:rw ## Also tried
#lxc.cgroup.devices.allow = c 10:50 rw ## Also tried

What does that module do?

That module is used by Android to monitor per application network statics. AOSP

Basically I want to run Android inside LXC container. Android’s network manager is making use of this interface . Since this interface is not visible from container, it is throwing many errors.

@brauner could you take a quick look at that one?

Sounds like something that @morphis may have some interest in too.

At this time, just taking a look through the kernel driver and get a sense of just how hard it may be to have this be properly namespaced. Feels like this would need netns and userns awareness (if not also pidns).

There’s also the question whether this is worth it:

Note: Support for xt_qtaguid will be phased out starting in the Android 9 release. See eBPF Traffic Monitoring for more information.

(Обзор  |  Android Open Source Project)

Ah yeah, good point, given that 9 is the current release, it may not be worth the effort.

Though ebpf based monitoring will be a problem for unpriv containers too…

@stgraber Yes, xt_qtaguid is less of interest for us given that it’s phased out in Android 9. Time is better spend looking into the eBPF work to see what needs to be done to get it properly work inside unprivileged containers.

Yeah, that part is not very promising as unrestricted eBPF makes a great attack vector for spectre/meltdown and so is generally blocked for use by unprivileged users…

@stgraber @brauner

Can you please point me to some reference , which can help to add required namespace support in xt_qtaguid module ?
So that I can try to do it my self.