Hi Serge, > -----Ursprüngliche Nachricht----- > Von: Serge Hallyn [mailto:serge.hal...@canonical.com] > An: Fiedler Roman > Cc: lxc-users@lists.sourceforge.net > Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction > > Quoting Fiedler Roman (roman.fied...@ait.ac.at): > > Hello List, > > > > I have problems finding information about lxc with system virtualization > and access restriction to /proc/kcore. In my setup, root in guest can read > /proc/kcore, data from host shows up in container kcore, so kcore is not > somehow faked/virtualized. > > > > I did not find no suitable information about securing /proc use inside > container, so perhaps someone could point me to information to these > questions? > > > > * Is secure /proc use (no escape, no major host/container or inter- > container info leaks) inside guest possible? > > ATM I recommend you use an LSM to do that.
Thanks for the hint, I'm looking into that. Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with? I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-Contains&S_TACT=105AGX59&S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted. Thanks, Roman ------------------------------------------------------------------------------ Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
