[Lxc-users] dropping capabilities
Daniel Lezcano
daniel.lezcano at free.fr
Tue Oct 5 14:40:43 UTC 2010
On 10/05/2010 12:34 PM, richard -rw- weinberger wrote:
[ cut ]
>>> IMHO CAP_SYS_ADMIN is a no-go.
>>> A jailed root would be able to mount the cgroup filesystem -> game over.
>>>
>>>
>> Yep. The cgroup can be remounted in the container but you can prevent the
>> access to the directory with SMACK or SeLinux. There is a good document at
>> explaining how to do that.
>>
>> http://www.ibm.com/developerworks/linux/library/l-lxc-security/
>>
> Yeah, but there are more problems. For example on my test system /lxc
> is a separate filesystem. With CAP_SYS_ADMIN a evil guy could do "ln
> -s /proc/mounts /etc/mtab ; mount / -o remount,ro" and all other lxc
> instances are unusable...
>
Well, I still don't get the behavior of the 'remount' option wrt the
mount namespace, this is something I have definitively ask for ... :)
But you are right, we should prevent that. I think this case is covered
by the user namespace (when finished).
More information about the lxc-users
mailing list