-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 于 2011年04月23日 12:16, Josh Triplett 写道: > On Sat, Apr 23, 2011 at 11:28:58AM +0800, microcai wrote: >> 于 2011年04月23日 10:55, Josh Triplett 写道: >>> The systemd-nspawn manpage lists the various mechanisms used to isolate >>> the container, and then says "Note that even though these security >>> precautions are taken systemd-nspawn is not suitable for secure >>> container setups. Many of the security features may be circumvented and >>> are hence primarily useful to avoid accidental changes to the host >>> system from the container." >>> >>> How can a process in a systemd-nspawn container circumvent the container >> >> remount /proc and /sys > > Ah, good point. So, root inside the container can trivially circumvent > the container that way. Any way to prevent that with current kernel > support, or would fixing this require additional kernel changes to lock > down other /proc and /sys mounts?
OpenVZ is what you need that way. OpenVZ is much like systemd-nspawn, but with more secure. So it can be used to provide VPS ;) > > That particular problem only applies if running code within the > container as root. How about if running code as an unprivileged user? > With that addition, does systemd-nspawn provide a secure container > (modulo local privilege escalation vulnerabilities)? > > Thanks, > Josh Triplett -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQEcBAEBAgAGBQJNsmPCAAoJEKT4Uz7oTANZ5DEH/1xAJvN0UqGv4JNMTuy/Hl8/ P7+6BkmhbE8wXtQt37z5QQNaDoNKNiTrdkppPWboFCsf4ulZyf02jkJGqN0BJoWg IC9xTWv2dE8RK+r3cnD1Nx0jpHuTq56Bo/W1UGeY+JKKNC/Ox8M81i+7M8xKrOB7 zhNnElNRTnHOHmzqSlcC1ODMnDw69lVpxZ0HusxpTAKLp1ms49PlhnFcXokHsD6/ GwhSNR7zjlimxUvoVbOPXqiIty37LgMn/Sl6+kvzWsngvCyBzpURmo9tp785iijL ZxtX5AIo1rlgFTt8TXphp3477M0P3Nfmg9R1iRJGD19631etr7IJYF4hd+x3Z5A= =meKC -----END PGP SIGNATURE----- _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
