[lxc-devel] security of mounting sysfs in LXC container?

steve at linuxsuite.org steve at linuxsuite.org
Tue May 15 15:45:25 UTC 2012 

> Le mardi 15 mai 2012 à 10:34 -0400, steve at linuxsuite.org a écrit :
>> Howdy!
>>
>>         On debian squeeze with LXC version 0.7.2 , I can mount sysfs in
>> the
>> container..
>>
>>     Isn't this a serious security issue? IE. messing with files in /sys/
>> as root in a container.
>>
>>    Or is sysfs protected somehow in LXC container? Is there a
>> workaround?
>> Or is this issue on the TODO list? Or is this changed in later
>> versions??
>
> I don't think it is really possible to protect it, unless you mount it
> read-only and drops mount capabilities (which means dropping
> cap_sys_admin, which has probably a lot of other drawbacks). Or you need
> to use some other tricks like SELinux / Apparmor / ...

       There are lots of scenarios where the ability to mount sysfs in
a container is not needed, and/or for security reasons is just a bad idea.

      Isn't it possible to add simple check to prevent mounting sysfs in a
container, and this feature could be configurable either on a container
by container basis or for all containers? Otherwise getting root in a
container
allows for possible trashing of entire host by messing with files in /sysfs??

      This issue is important, and will limit use of LXC in important
production situations. Other container solutions do not allow for mounting
sysfs in container, example Linux-Vserver

      thoughts? If simple enough and with adequate guidance I may
be able to implement this if it is not on the TODO, and is technically
feasible? But I suppose if it was simple and feasible it would already
be done. Or perhaps understandably there are other priorities? or conficts
with other parts of the system or.. perhaps better to impliment this
through other
means like SELinux (trivial or difficult??)

        thanx - steve


>
> --
> Frederic Crozat <fcrozat at suse.com>
> SUSE
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>

More information about the lxc-devel mailing list