Quoting Frederic Crozat ([email protected]): > Le mardi 15 mai 2012 à 10:34 -0400, [email protected] a écrit : > > Howdy! > > > > On debian squeeze with LXC version 0.7.2 , I can mount sysfs in the > > container.. > > > > Isn't this a serious security issue? IE. messing with files in /sys/ > > as root in a container. > > > > Or is sysfs protected somehow in LXC container? Is there a workaround? > > Or is this issue on the TODO list? Or is this changed in later > > versions?? > > I don't think it is really possible to protect it, unless you mount it > read-only and drops mount capabilities (which means dropping > cap_sys_admin, which has probably a lot of other drawbacks). Or you need > to use some other tricks like SELinux / Apparmor / ...
(which we will - it's done in an ubuntu-specific way with apparmor right now, but i will generalize that and make it work upstream and with selinux, "soon") User namespaces will also fix this - the sysfs files will be owned by the GLOBAL_ROOT_UID, so root in a container will not have access to them. Hopefully in the next few months they'll be upstream, and in the meantime I've got the start of a patch to use them in lxc. -serge ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-devel
