于 2011年04月23日 10:55, Josh Triplett 写道: > The systemd-nspawn manpage lists the various mechanisms used to isolate > the container, and then says "Note that even though these security > precautions are taken systemd-nspawn is not suitable for secure > container setups. Many of the security features may be circumvented and > are hence primarily useful to avoid accidental changes to the host > system from the container." > > How can a process in a systemd-nspawn container circumvent the container
remount /proc and /sys > setup? What additional steps would systemd-nspawn need to take to > provide a secure container setup? > > - Josh Triplett > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
