On 08/27/2010 05:52 PM, Denis Rizaev wrote: > Hi folks. > I tried to mount cgroup fs in container and was surprised that i can see all > cgroups tree. Also i can modify limits for my container and others!! > In my opinion container should see only it's own level of cgroup, not whole > tree. > Is it fundamental design flaw, or i missed something? > I think this is something you can prevent with SMACK.
There is a documentation here : http://www.ibm.com/developerworks/linux/library/l-lxc-security/ I am not expert in this area, so I don't have too much to say :) Serge (the author of the document) knows much more than me on this. Thanks -- Daniel ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
