Quoting richard -rw- weinberger (richard.weinber...@gmail.com): > On Tue, Oct 5, 2010 at 11:23 AM, Daniel Lezcano <daniel.lezc...@free.fr> > wrote: > > Yep. The cgroup can be remounted in the container but you can prevent the > > access to the directory with SMACK or SeLinux. There is a good document at > > explaining how to do that. > > > > http://www.ibm.com/developerworks/linux/library/l-lxc-security/ > > Yeah, but there are more problems. For example on my test system /lxc > is a separate filesystem. With CAP_SYS_ADMIN a evil guy could do "ln > -s /proc/mounts /etc/mtab ; mount / -o remount,ro" and all other lxc > instances are unusable...
Not sure what you mean by this particular example, but yes, the jist of the article is that you need smack or selinux in order to contain root in a container right now. And you need a lot more work on the mac policies than the article does to do it right. -serge ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
