[lxc-devel] security of mounting sysfs in LXC container?
Serge Hallyn
serge.hallyn at canonical.com
Tue May 15 15:42:43 UTC 2012
Quoting Frederic Crozat (fcrozat at suse.com):
> Le mardi 15 mai 2012 à 10:34 -0400, steve at linuxsuite.org a écrit :
> > Howdy!
> >
> > On debian squeeze with LXC version 0.7.2 , I can mount sysfs in the
> > container..
> >
> > Isn't this a serious security issue? IE. messing with files in /sys/
> > as root in a container.
> >
> > Or is sysfs protected somehow in LXC container? Is there a workaround?
> > Or is this issue on the TODO list? Or is this changed in later
> > versions??
>
> I don't think it is really possible to protect it, unless you mount it
> read-only and drops mount capabilities (which means dropping
> cap_sys_admin, which has probably a lot of other drawbacks). Or you need
> to use some other tricks like SELinux / Apparmor / ...
(which we will - it's done in an ubuntu-specific way with apparmor right
now, but i will generalize that and make it work upstream and with
selinux, "soon")
User namespaces will also fix this - the sysfs files will be owned
by the GLOBAL_ROOT_UID, so root in a container will not have access
to them. Hopefully in the next few months they'll be upstream, and
in the meantime I've got the start of a patch to use them in lxc.
-serge
More information about the lxc-devel
mailing list