> Le mardi 15 mai 2012 à 10:34 -0400, st...@linuxsuite.org a écrit :
>> Howdy!
>>
>> On debian squeeze with LXC version 0.7.2 , I can mount sysfs in
>> the
>> container..
>>
>> Isn't this a serious security issue? IE. messing with files in /sys/
>> as root in a container.
>>
>> Or is sysfs protected somehow in LXC container? Is there a
>> workaround?
>> Or is this issue on the TODO list? Or is this changed in later
>> versions??
>
> I don't think it is really possible to protect it, unless you mount it
> read-only and drops mount capabilities (which means dropping
> cap_sys_admin, which has probably a lot of other drawbacks). Or you need
> to use some other tricks like SELinux / Apparmor / ...
There are lots of scenarios where the ability to mount sysfs in
a container is not needed, and/or for security reasons is just a bad idea.
Isn't it possible to add simple check to prevent mounting sysfs in a
container, and this feature could be configurable either on a container
by container basis or for all containers? Otherwise getting root in a
container
allows for possible trashing of entire host by messing with files in /sysfs??
This issue is important, and will limit use of LXC in important
production situations. Other container solutions do not allow for mounting
sysfs in container, example Linux-Vserver
thoughts? If simple enough and with adequate guidance I may
be able to implement this if it is not on the TODO, and is technically
feasible? But I suppose if it was simple and feasible it would already
be done. Or perhaps understandably there are other priorities? or conficts
with other parts of the system or.. perhaps better to impliment this
through other
means like SELinux (trivial or difficult??)
thanx - steve
>
> --
> Frederic Crozat <fcro...@suse.com>
> SUSE
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
