[lxc-devel] security of mounting sysfs in LXC container?
Frederic Crozat
fcrozat at suse.com
Tue May 15 14:45:03 UTC 2012
Le mardi 15 mai 2012 à 10:34 -0400, steve at linuxsuite.org a écrit :
> Howdy!
>
> On debian squeeze with LXC version 0.7.2 , I can mount sysfs in the
> container..
>
> Isn't this a serious security issue? IE. messing with files in /sys/
> as root in a container.
>
> Or is sysfs protected somehow in LXC container? Is there a workaround?
> Or is this issue on the TODO list? Or is this changed in later
> versions??
I don't think it is really possible to protect it, unless you mount it
read-only and drops mount capabilities (which means dropping
cap_sys_admin, which has probably a lot of other drawbacks). Or you need
to use some other tricks like SELinux / Apparmor / ...
--
Frederic Crozat <fcrozat at suse.com>
SUSE
More information about the lxc-devel
mailing list