[Lxc-users] dropping capabilities

Daniel Lezcano daniel.lezcano at free.fr
Tue Oct 5 14:40:43 UTC 2010


On 10/05/2010 12:34 PM, richard -rw- weinberger wrote:

[ cut ]

>>> IMHO CAP_SYS_ADMIN is a no-go.
>>> A jailed root would be able to mount the cgroup filesystem ->    game over.
>>>
>>>        
>> Yep. The cgroup can be remounted in the container but you can prevent the
>> access to the directory with SMACK or SeLinux. There is a good document at
>> explaining how to do that.
>>
>> http://www.ibm.com/developerworks/linux/library/l-lxc-security/
>>      
> Yeah, but there are more problems. For example on my test system /lxc
> is a separate filesystem. With CAP_SYS_ADMIN a evil guy could do "ln
> -s /proc/mounts /etc/mtab ; mount / -o remount,ro" and all other lxc
> instances are unusable...
>    

Well, I still don't get the behavior of the 'remount' option wrt the 
mount namespace, this is something I have definitively ask for ... :)

But you are right, we should prevent that. I think this case is covered 
by the user namespace (when finished).





More information about the lxc-users mailing list