[Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM
Serge Hallyn
serge.hallyn at canonical.com
Thu Apr 14 19:19:05 UTC 2011
Quoting sanjay (genacct412 at gmail.com):
> Hi! I am new to the technology and thread. I have two basic questions, hope
> you can provide some guidance.
>
> 1. UID Privilege Isolation.
> ~~~~~~~~~~~~~~~~~
> If I understand it right, currently if a host-uid and guest-uid have the
> same numerical value, they essentially have the same file access privilege.
> Posting from 01/14/11 indicated that a patchset related to 'user namespace'
> is in works to address this issue. Link in the LXC home/user indicated two
> possible approach are being considered. I was wondering if there has been
> any conclusion in this front ?
I don't know what link you mean. There is a clear roadmap, there is
plenty of work to be done.
> 2. Guest modifying its own cgroup
> ~~~~~~~~~~~~~~~~~~~~~~~~
> It appears that from a guest one can mount the cgroup and modify its own
> constraints specified in the cgroup. Is there a way, I can prevent a guest
> from doing so?
LSM
-serge
More information about the lxc-users
mailing list