[lxc-devel] TODO list?
Seth Forshee
seth.forshee at canonical.com
Mon Jun 9 16:48:03 UTC 2014
On Mon, Jun 09, 2014 at 04:01:22PM +0000, Serge Hallyn wrote:
> Quoting Christian Evans (Frodox at zoho.com):
> > Hi folks!
> >
> > I am looking for a way to improve [security of] Linux Containers.
> >
> > Where I can find any ToDo/features list, so I could help the project?
>
> Hm, there isn't one right now that is uptodate, especially pertaining
> to security. If security is what you are particularly interested in,
> then some areas where you could help are
>
> 1. implement lxc support for Smack
>
> 2. work on some usable seccomp policies - with the new personality and
> blacklist policy support we should be able to get some policies for
> standard workloads that are actually useful, i.e. refusing compat calls
> in x86-64 containers, etc.
>
> 3. work on selinux container policies
>
> 4. test out mountlo and other of the fuse filesystems that Eric
> mentioned should allow mounting from an unprivileged user namespace.
> (I gave it a 0% effort attempt, got an EPERM, and moved on to higher
> prio things; it should be fun to figure out)
I'm planning to play around with this sometime this week (just back from
being on holiday last week, still playing catch-up). Though I did play
briefly with mountlo outside a container last week. It worked, but it
hasn't been updated in 5 years and is currently using a 2.6.29 kernel
for usermode Linux, which doesn't give me warm, fuzzy feelings about it.
More information about the lxc-devel
mailing list