> Von: Shweta Shinde [mailto:shwetasshind...@gmail.com] 
> Gesendet: Dienstag, 31. Januar 2012 13:09
> An: lxc-users@lists.sourceforge.net
> Betreff: [Lxc-users] Security in LXC
>
> Hi everyone, 
> I am working on LXC containers for my project. I am interested in the 
> security aspects of LXC. 
> What are the security threats from isolation perspective while using 
> containers?
>
> How can we use SELinux to secure container?
> Any information will be very helpful.

To my understanding, lxc without LSM is only useful to separate processes or 
network traffic for simpler setup/administration, but currently the 
lxc-separation is not very strict from security point of view. Without LSM and 
lxc system virtualization, guest root == host root, e.g. via access of 
/proc/kcore, mem, ...

See http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html

Since I'm not sure, that I could harden a LSM policy, that prevents a guest 
UID=0 process from accessing anything outside the container (there may be a 
thousand ways via proc and syscalls, I don't know about), I refrained from 
using lxc for system virtualization until secure open-source policies are 
available.

Kind regards,
Roman

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to