[lxc-devel] device namespaces
Seth Forshee
seth.forshee at canonical.com
Wed Sep 10 19:32:06 UTC 2014
On Tue, Sep 09, 2014 at 12:20:46PM -0500, riya khanna wrote:
> Hi,
>
> I'm a newbie trying to come up with a fuse/cuse-based solution to
> device namespace virtualization.
Fwiw I find the thought of allowing use of cuse from a container (well,
an unprivileged container at least) more than a little bit frightening
from a security perspective. If a process does an ioctl on a cuse-based
device then the process implementing the device can get a very broad
ability to read and write in the initiator's address space. If the
device were to show up automagically in devtmpfs and a process on the
host could be tricked into opening the device, then that sounds like a
great vector for an attack. Just something to keep in mind.
Seth
More information about the lxc-devel
mailing list