Hi Ulli, we've dropped rawio (in due to security reasons) and didn't face any problems. The lxc host seems to do all of necessary /proc operations. We also mounted /proc filesystem ro in containers.
Regards, Andreas Am 24.10.2013 09:19, schrieb Ulli Horlacher: > So far, I drop these capabilities in my containers to enhance security: > > lxc.cap.drop = mac_override > lxc.cap.drop = sys_module > lxc.cap.drop = sys_boot > lxc.cap.drop = sys_admin > lxc.cap.drop = sys_time > > What about sys_rawio? > The problem is, this capability allows access to /proc/kcore > Can I drop it or is it necessary for important programs? > ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
