[lxc-devel] TODO list?

Michael H. Warfield mhw at WittsEnd.com
Mon Jun 9 16:08:20 UTC 2014


On Mon, 2014-06-09 at 16:01 +0000, Serge Hallyn wrote:
> Quoting Christian Evans (Frodox at zoho.com):
> > Hi folks!
> > 
> > I am looking for a way to improve [security of] Linux Containers.
> > 
> > Where I can find any ToDo/features list, so I could help the project?

> Hm, there isn't one right now that is uptodate, especially pertaining
> to security.  If security is what you are particularly interested in,
> then some areas where you could help are

> 1. implement lxc support for Smack

> 2. work on some usable seccomp policies - with the new personality and
> blacklist policy support we should be able to get some policies for
> standard workloads that are actually useful, i.e. refusing compat calls
> in x86-64 containers, etc.

Oh!  Hey!  Yeah!  That reminds me.  We were having that whole discussion
over on the -users list about Fedora containers and appropriate
apparmour policy and whether it should be a relaxed policy (currently
unconfined) or if some appropriate mounts should be substituted to keep
systemd satisfied.  That's a big one.

> 3. work on selinux container policies

> 4. test out mountlo and other of the fuse filesystems that Eric
> mentioned should allow mounting from an unprivileged user namespace.
> (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> prio things;  it should be fun to figure out)

+1

Loopback stuff is a significant PITA with security implications.

> -serge

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140609/50d0c5bd/attachment.sig>


More information about the lxc-devel mailing list