[lxc-devel] /proc/kmsg in the container

Stéphane Graber stgraber at ubuntu.com
Thu Jul 3 23:32:55 UTC 2014


On Fri, Jul 04, 2014 at 01:20:09AM +0200, Gianluigi Tiesi wrote:
> Hi,
> lxc creates a symlink from /dev/kmsg to /dev/console
> but unfortunately syslogd (i.e. from inetutils) wants to read from
> /proc/kmsg.
> This caused very nasty problems on the host so I had to disable klog
> part of inetutils-syslogd.
> I would also prevent containers to read my kernel buffer ring
> (dmesg) and hang the host syslogd, there is a way to have such kind
> of isolation?

Properly blocking dmesg is kind of hard, if I recall coorectly you need
a mix of apparmor and seccomp to block access to /proc/kmsg, /dev/kmsg
and the syslog syscall.

> 
> Regards
> 
> -- 
> Gianluigi Tiesi <sherpya at netfarm.it>
> EDP Project Leader
> Netfarm S.r.l. - http://www.netfarm.it/
> Free Software: http://oss.netfarm.it/
> 
> Q: Because it reverses the logical flow of conversation.
> A: Why is putting a reply at the top of the message frowned upon?
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140703/6ae57acf/attachment.sig>


More information about the lxc-devel mailing list