[lxc-devel] cgroup isolation
Daniel Lezcano
daniel.lezcano at free.fr
Mon Aug 30 13:50:52 UTC 2010
On 08/27/2010 05:52 PM, Denis Rizaev wrote:
> Hi folks.
> I tried to mount cgroup fs in container and was surprised that i can see all
> cgroups tree. Also i can modify limits for my container and others!!
> In my opinion container should see only it's own level of cgroup, not whole
> tree.
> Is it fundamental design flaw, or i missed something?
>
I think this is something you can prevent with SMACK.
There is a documentation here :
http://www.ibm.com/developerworks/linux/library/l-lxc-security/
I am not expert in this area, so I don't have too much to say :)
Serge (the author of the document) knows much more than me on this.
Thanks
-- Daniel
More information about the lxc-devel
mailing list