On Fri 2011-08-19 (15:38), Dong-In David Kang wrote: > We've found out that inside of an LXC instance, root can insert/remove > modules of the host. > Is it normal? > If it is doable, an LXC image may corrupt the host system, which is not good > in terms of security.
Put: lxc.cap.drop = sys_module to your LXC container config file. And by the way: lxc.cap.drop = sys_admin is also a good idea, to prevent that the container root can modify mount options, for example set the container filesystem to read-only, which can effect ALL containers! -- Ullrich Horlacher Server- und Arbeitsplatzsysteme Rechenzentrum E-Mail: horlac...@rus.uni-stuttgart.de Universitaet Stuttgart Tel: ++49-711-685-65868 Allmandring 30 Fax: ++49-711-682357 70550 Stuttgart (Germany) WWW: http://www.rus.uni-stuttgart.de/ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
