Hi Ulli,

we've dropped rawio (in due to security reasons) and didn't face any 
problems. The lxc host seems to do all of necessary /proc operations. We 
also mounted /proc filesystem ro in containers.

Regards,
Andreas

Am 24.10.2013 09:19, schrieb Ulli Horlacher:
> So far, I drop these capabilities in my containers to enhance security:
>
> lxc.cap.drop = mac_override
> lxc.cap.drop = sys_module
> lxc.cap.drop = sys_boot
> lxc.cap.drop = sys_admin
> lxc.cap.drop = sys_time
>
> What about sys_rawio?
> The problem is, this capability allows access to /proc/kcore
> Can I drop it or is it necessary for important programs?
>


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to