[Lxc-users] dropping capabilities

Serge E. Hallyn serge.hallyn at canonical.com
Tue Oct 5 13:44:07 UTC 2010


Quoting richard -rw- weinberger (richard.weinberger at gmail.com):
> On Tue, Oct 5, 2010 at 11:23 AM, Daniel Lezcano <daniel.lezcano at free.fr> wrote:
> > Yep. The cgroup can be remounted in the container but you can prevent the
> > access to the directory with SMACK or SeLinux. There is a good document at
> > explaining how to do that.
> >
> > http://www.ibm.com/developerworks/linux/library/l-lxc-security/
> 
> Yeah, but there are more problems. For example on my test system /lxc
> is a separate filesystem. With CAP_SYS_ADMIN a evil guy could do "ln
> -s /proc/mounts /etc/mtab ; mount / -o remount,ro" and all other lxc
> instances are unusable...

Not sure what you mean by this particular example, but yes, the jist
of the article is that you need smack or selinux in order to contain
root in a container right now.  And you need a lot more work on the
mac policies than the article does to do it right.

-serge




More information about the lxc-users mailing list