On 01/31/2015 03:46 PM, Tomasz Chmielewski wrote:
I was wondering what is the best way to employ some basic security for
lxc containers.
On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
1. root user in lxc containers is able to view dmesg, even with:
host# cat /proc/sys/kernel/dmesg_restrict
1
Use non-privileges containers.
2. lxc containers are able to write to /proc/sysrq-trigger - so can
technically poweroff the host:
guest# echo w > /proc/sysrq-trigger
guest# dmesg
3. /proc/kcore? And perhaps anything else which might need blocking so
that the guest is not able to read data from the host/other guests?
These two should be denied by apparmor, unless you run containers with
unconfined apparmor profile.
cheers,
tamas
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
