On Tue, Jun 14, 2016 at 07:17:58AM -0400, Ron Kelley wrote: > Thanks. These containers are running as a web-hosting container for our user > sites (we host one site per container). Does your security statement below > mean I could run into security issues if we enable the security.nesting > option? One of the primary drivers for containers is for security - we don’t > want one site “bleeding” into another.
The unfortunate cause of this is that since apparmor is purely pathname based, and there are rules to prevent writing to sensitive files, allowing containers to bind mount things can allow circumventing those rules. However, so long as you're using unprivileged containers (which you'd better be given your application), it's more of a defense in depth issue - we don't know of, or expect, any cases where your container user would actually be able to write to sensitive files like sysrq-trigger, bc they will be owned by -1. So "it's probably ok" but only do it if you really need to. Perhaps you can allow bind mounting only from/to certain paths? -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
