>>>>> "TWB" == Trent W Buck <t...@cybersource.com.au> writes:
TWB> I suppose if I had to support desktop wank, I would set up a
TWB> udev rule on the host to mount removable devices in
TWB> /media/<VOL ID>, and then rbind-mount /media into the
TWB> container(s).
This might be a good idea for some systems, but it wouldn't work well
for things like formatting, burning or using FUSE.
Perhaps the proper solution would be to add a new capability for secure
mounts to the kernel. The question is how much damage can be done in
theory to the host and other containers when a container is given the
CAP_SYS_ADMIN capability, assuming lxc.cgroup.devices are set properly?
I don't care much about DoS problems as those can happen with almost any
non-paranoid setup. But can CAP_SYS_ADMIN significantly increase risk
of compromising the host or other containers?
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users
