[lxc-devel] cgroup isolation

Daniel Lezcano daniel.lezcano at free.fr
Mon Aug 30 13:50:52 UTC 2010


On 08/27/2010 05:52 PM, Denis Rizaev wrote:
> Hi folks.
> I tried to mount cgroup fs in container and was surprised that i can see all
> cgroups tree. Also i can modify limits for my container and others!!
> In my opinion container should see only it's own level of cgroup, not whole
> tree.
> Is it fundamental design flaw, or i missed something?
>    
I think this is something you can prevent with SMACK.

There is a documentation here :

http://www.ibm.com/developerworks/linux/library/l-lxc-security/

I am not expert in this area, so I don't have too much to say :)
Serge (the author of the document) knows much more than me on this.

Thanks
   -- Daniel




More information about the lxc-devel mailing list