[lxc-devel] /proc/kmsg in the container

Gianluigi Tiesi sherpya at netfarm.it
Fri Jul 4 00:51:07 UTC 2014


On 07/04/14 01:32, Stéphane Graber wrote:
> On Fri, Jul 04, 2014 at 01:20:09AM +0200, Gianluigi Tiesi wrote:
>> Hi,
>> lxc creates a symlink from /dev/kmsg to /dev/console
>> but unfortunately syslogd (i.e. from inetutils) wants to read from
>> /proc/kmsg.
>> This caused very nasty problems on the host so I had to disable klog
>> part of inetutils-syslogd.
>> I would also prevent containers to read my kernel buffer ring
>> (dmesg) and hang the host syslogd, there is a way to have such kind
>> of isolation?
>
> Properly blocking dmesg is kind of hard, if I recall coorectly you need
> a mix of apparmor and seccomp to block access to /proc/kmsg, /dev/kmsg
> and the syslog syscall.
>

umpf


-- 
Gianluigi Tiesi <sherpya at netfarm.it>
EDP Project Leader
Netfarm S.r.l. - http://www.netfarm.it/
Free Software: http://oss.netfarm.it/

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?


More information about the lxc-devel mailing list