[lxc-devel] [RFC PATCH 11/11] loop: Allow priveleged operations for root in the namespace which owns a device
Michael H. Warfield
mhw at WittsEnd.com
Mon May 26 15:32:05 UTC 2014
On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote:
> On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > One question about this patch.
> >
> > Why don't you use the devices cgroup check if the root user in that namespace is allowed to use this device?
> >
> > This way you can be sure that the root in that namespace can not access devices to which the host system did not gave
> > him access to.
> That might be possible, but I don't want to require something on the
> host to whitelist the device for the container. Then loop would need to
> automatically add the device to devices.allow, which doesn't seem
> desirable to me. But I'm not entirely opposed to the idea if others
> think this is a better way to go.
I don't see any safe way to avoid it. The host has to be in control of
what devices can and can not be accessed by the container.
> Seth
Regards,
Mike
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140526/348b91c7/attachment.sig>
More information about the lxc-devel
mailing list