Bug#750106: AppArmor info

2014-06-01 Thread John Goerzen
On 06/01/2014 05:13 PM, Daniel Baumann wrote: > On 06/02/2014 12:06 AM, John Goerzen wrote: >> Everything I have read says one must use either AppArmor or user >> namespaces to make it secure. > > or, like i said, you can r/o mount certain pseudo-fs and drop a bunch of > capabilities, like lxc-deb

Bug#750106: AppArmor info

2014-06-01 Thread Daniel Baumann
On 06/02/2014 12:06 AM, John Goerzen wrote: > Everything I have read says one must use either AppArmor or user > namespaces to make it secure. or, like i said, you can r/o mount certain pseudo-fs and drop a bunch of capabilities, like lxc-debconfig in lxc-stuff does by default (and lxc-debian in d

Bug#750106: AppArmor info

2014-06-01 Thread John Goerzen
On 06/01/2014 04:43 PM, Daniel Baumann wrote: > On 06/01/2014 10:27 PM, John Goerzen wrote: >> Here are some links that describe AppArmor and why it's important to LXC: > i'm aware that lxc can use apparmor, but as said previously, it is not > required to make a container secure. Everything I hav

Bug#750106: AppArmor info

2014-06-01 Thread Daniel Baumann
On 06/01/2014 10:27 PM, John Goerzen wrote: > Here are some links that describe AppArmor and why it's important to LXC: i'm aware that lxc can use apparmor, but as said previously, it is not required to make a container secure. > http://blog.bofh.it/debian/id_413 is an exploit that is usable to >

Bug#750106: AppArmor info

2014-06-01 Thread John Goerzen
Daniel et al, Here are some links that describe AppArmor and why it's important to LXC: https://www.stgraber.org/2014/01/01/lxc-1-0-security-features/ http://blog.bofh.it/debian/id_413 is an exploit that is usable to compromise the host's root on any LXC container that doesn't use app armor or u