[lxc-devel] TODO list?

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 9 16:01:22 UTC 2014


Quoting Christian Evans (Frodox at zoho.com):
> Hi folks!
> 
> I am looking for a way to improve [security of] Linux Containers.
> 
> Where I can find any ToDo/features list, so I could help the project?

Hm, there isn't one right now that is uptodate, especially pertaining
to security.  If security is what you are particularly interested in,
then some areas where you could help are

1. implement lxc support for Smack

2. work on some usable seccomp policies - with the new personality and
blacklist policy support we should be able to get some policies for
standard workloads that are actually useful, i.e. refusing compat calls
in x86-64 containers, etc.

3. work on selinux container policies

4. test out mountlo and other of the fuse filesystems that Eric
mentioned should allow mounting from an unprivileged user namespace.
(I gave it a 0% effort attempt, got an EPERM, and moved on to higher
prio things;  it should be fun to figure out)

-serge


More information about the lxc-devel mailing list