I was wondering what is the best way to employ some basic security for
lxc containers.
On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
1. root user in lxc containers is able to view dmesg, even with:
host# cat /proc/sys/kernel/dmesg_restrict
1
2. lxc containers are able to write to /proc/sysrq-trigger - so can
technically poweroff the host:
guest# echo w > /proc/sysrq-trigger
guest# dmesg
3. /proc/kcore? And perhaps anything else which might need blocking so
that the guest is not able to read data from the host/other guests?
--
Tomasz Chmielewski
http://www.sslrack.com
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
