[lxc-devel] TODO list?
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Jun 9 16:21:09 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Mon, Jun 09, 2014 at 04:01:22PM +0000, Serge Hallyn wrote:
> > Quoting Christian Evans (Frodox at zoho.com):
> > > Hi folks!
> > >
> > > I am looking for a way to improve [security of] Linux Containers.
> > >
> > > Where I can find any ToDo/features list, so I could help the project?
> >
> > Hm, there isn't one right now that is uptodate, especially pertaining
> > to security. If security is what you are particularly interested in,
> > then some areas where you could help are
> >
> > 1. implement lxc support for Smack
> >
> > 2. work on some usable seccomp policies - with the new personality and
> > blacklist policy support we should be able to get some policies for
> > standard workloads that are actually useful, i.e. refusing compat calls
> > in x86-64 containers, etc.
> >
> > 3. work on selinux container policies
> >
> > 4. test out mountlo and other of the fuse filesystems that Eric
> > mentioned should allow mounting from an unprivileged user namespace.
> > (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> > prio things; it should be fun to figure out)
>
> 5)
> Maybe look into getting a fuse proc filesystem hook for those who want
> meminfo/cpuinfo to be based on the cgroup values.
5b) join the effort to write a new globally consumable library to wrap
/proc and cgroup info for use by programs like top and free.
> 6)
> Help with getting CRIU to work with LXC (one of the expected main features
> of LXC 1.1).
Tycho is diving into that, so anyone interested in that please hop
onto freenode#criu and coordinate.
More information about the lxc-devel
mailing list