On 05/26/2011 11:06 PM, Daniel Lezcano wrote: > On 05/26/2011 11:57 AM, Papp Tamas wrote: >> On 05/26/2011 11:37 AM, Jäkel, Guido wrote: >>> Papp>I hope a container cannot identify its host. >>> >>> You mean that's a concern of security? Why it shouldn't; "security >>> through obscurity" is never a solution at all, you'll know! >> Yes, that's true, but this is not the case. >> Actually lxc at this time not so good in security, so I think, every >> small hardening step can help a bit. >> >> By the way, when will it possible to prohibit a container to read and >> write the dmesg of the host system? >> Also what about reading and modifying cgroup settings? > I am currently working on a prototype based on cgroup to deny access > to a specific file with a specific operation. > As soon as finished the POC, I will drop an url to a kernel with this > feature. I hope some of you will have some interest to shake the code > a bit and check if it is suitable for all security purposes we want to > fix.
Very-very good news. Unfortunately I'm not a developer, but I'm happy to hear this:) tamas ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
