[lxc-devel] TODO list?

Seth Forshee seth.forshee at canonical.com
Mon Jun 9 16:48:03 UTC 2014


On Mon, Jun 09, 2014 at 04:01:22PM +0000, Serge Hallyn wrote:
> Quoting Christian Evans (Frodox at zoho.com):
> > Hi folks!
> > 
> > I am looking for a way to improve [security of] Linux Containers.
> > 
> > Where I can find any ToDo/features list, so I could help the project?
> 
> Hm, there isn't one right now that is uptodate, especially pertaining
> to security.  If security is what you are particularly interested in,
> then some areas where you could help are
> 
> 1. implement lxc support for Smack
> 
> 2. work on some usable seccomp policies - with the new personality and
> blacklist policy support we should be able to get some policies for
> standard workloads that are actually useful, i.e. refusing compat calls
> in x86-64 containers, etc.
> 
> 3. work on selinux container policies
> 
> 4. test out mountlo and other of the fuse filesystems that Eric
> mentioned should allow mounting from an unprivileged user namespace.
> (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> prio things;  it should be fun to figure out)

I'm planning to play around with this sometime this week (just back from
being on holiday last week, still playing catch-up). Though I did play
briefly with mountlo outside a container last week. It worked, but it
hasn't been updated in 5 years and is currently using a 2.6.29 kernel
for usermode Linux, which doesn't give me warm, fuzzy feelings about it.


More information about the lxc-devel mailing list