Le mardi 15 mai 2012 à 10:34 -0400, st...@linuxsuite.org a écrit : > Howdy! > > On debian squeeze with LXC version 0.7.2 , I can mount sysfs in the > container.. > > Isn't this a serious security issue? IE. messing with files in /sys/ > as root in a container. > > Or is sysfs protected somehow in LXC container? Is there a workaround? > Or is this issue on the TODO list? Or is this changed in later > versions??
I don't think it is really possible to protect it, unless you mount it read-only and drops mount capabilities (which means dropping cap_sys_admin, which has probably a lot of other drawbacks). Or you need to use some other tricks like SELinux / Apparmor / ... -- Frederic Crozat <fcro...@suse.com> SUSE ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
