On Fri, Feb 24, 2017 at 06:01:00PM -0500, James Bottomley wrote: > Well, as a glib answer, I'd say the TPM is a device, so the thing which > restricts device access to containers is the device cgroup ... that's > what we should be plugging into. I'd have to look, but I suspect the > device cgroup basically operates on device node appearance, so it > should "just work"(tm). I can explore when I'm back home.
Seems reasonable.. It just seems confusing to call something a namespace that isn't also a CLONE_NEW* option.. FWIW more background on the topic: Stefan was concerned about information leakage via sysfs of TPM data, eg that a container could still touch the host's TPM. I wonder if device cgroup could be extended to block access to the sysfs directories containing a disallowed 'dev' ? I was also wondering about kernel use from within the container - all kernel consumers are locked to physical tpm0.. But maybe the kernel can consult the right device cgroup to find an allowed TPM? Jason
