On 01/31/2015 04:19 PM, Tomasz Chmielewski wrote:
How do I do this?
I've created my container with:
lxc-create --template download --name container-name -B btrfs
"man lxc-create" does not contain "priv" string.
Use google.
Acutally the right word is unprivileged:
https://www.google.hu/search?client=ubuntu&channel=fs&q=lxc+non+privileges+container&ie=utf-8&oe=utf-8&gfe_rd=cr&ei=_PTMVKavCZCu8wesr4LIBg#channel=fs&q=lxc+unprivileged+container&spell=1
2. lxc containers are able to write to /proc/sysrq-trigger - so can
technically poweroff the host:
guest# echo w > /proc/sysrq-trigger
guest# dmesg
3. /proc/kcore? And perhaps anything else which might need blocking
so that the guest is not able to read data from the host/other guests?
These two should be denied by apparmor, unless you run containers with
unconfined apparmor profile.
Is it documented anywhere?
Google search for "/proc/kcore site:linuxcontainers.org" does not seem
to return any related documentation (though I've seen a similar
question sent a few years ago, without any specific answers).
Look at your containers's config file and search for lxc.aa_profile. If
it isn't there is should be protected by apparmor on Ubuntu by default.
Also take a look here:
/etc/apparmor.d/lxc
In fact I'm not sure about kcore, but sysrq-trigger is protected, I'm
sure. If not, then something is really wrong on your system.
Cheers,
tamas
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
