[lxc-devel] TODO list?
Michael H. Warfield
mhw at WittsEnd.com
Mon Jun 9 16:08:20 UTC 2014
On Mon, 2014-06-09 at 16:01 +0000, Serge Hallyn wrote:
> Quoting Christian Evans (Frodox at zoho.com):
> > Hi folks!
> >
> > I am looking for a way to improve [security of] Linux Containers.
> >
> > Where I can find any ToDo/features list, so I could help the project?
> Hm, there isn't one right now that is uptodate, especially pertaining
> to security. If security is what you are particularly interested in,
> then some areas where you could help are
> 1. implement lxc support for Smack
> 2. work on some usable seccomp policies - with the new personality and
> blacklist policy support we should be able to get some policies for
> standard workloads that are actually useful, i.e. refusing compat calls
> in x86-64 containers, etc.
Oh! Hey! Yeah! That reminds me. We were having that whole discussion
over on the -users list about Fedora containers and appropriate
apparmour policy and whether it should be a relaxed policy (currently
unconfined) or if some appropriate mounts should be substituted to keep
systemd satisfied. That's a big one.
> 3. work on selinux container policies
> 4. test out mountlo and other of the fuse filesystems that Eric
> mentioned should allow mounting from an unprivileged user namespace.
> (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> prio things; it should be fun to figure out)
+1
Loopback stuff is a significant PITA with security implications.
> -serge
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140609/50d0c5bd/attachment.sig>
More information about the lxc-devel
mailing list