On 05/26/2011 11:57 AM, Papp Tamas wrote: > On 05/26/2011 11:37 AM, Jäkel, Guido wrote: >> Papp>I hope a container cannot identify its host. >> >> You mean that's a concern of security? Why it shouldn't; "security through >> obscurity" is never a solution at all, you'll know! > Yes, that's true, but this is not the case. > Actually lxc at this time not so good in security, so I think, every > small hardening step can help a bit. > > By the way, when will it possible to prohibit a container to read and > write the dmesg of the host system? > Also what about reading and modifying cgroup settings? I am currently working on a prototype based on cgroup to deny access to a specific file with a specific operation. As soon as finished the POC, I will drop an url to a kernel with this feature. I hope some of you will have some interest to shake the code a bit and check if it is suitable for all security purposes we want to fix.
------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
