[Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM

sanjay genacct412 at gmail.com
Thu Apr 14 19:48:20 UTC 2011


Hi Serge! Thanks for your help.

(The link I was referring in original mail:
http://lxc.sourceforge.net/index.php/about/kernel-namespaces/user/).

Regards,
Sanjay


On Thu, Apr 14, 2011 at 3:19 PM, Serge Hallyn <serge.hallyn at canonical.com>wrote:

> Quoting sanjay (genacct412 at gmail.com):
> > Hi! I am new to the technology and thread. I have two basic questions,
> hope
> > you can provide some guidance.
> >
> > 1. UID Privilege Isolation.
> > ~~~~~~~~~~~~~~~~~
> > If I understand it right, currently if a host-uid and guest-uid have the
> > same numerical value, they essentially have the same file access
> privilege.
> > Posting from 01/14/11 indicated that a patchset related to 'user
> namespace'
> > is in works to address this issue. Link in the LXC home/user indicated
> two
> > possible approach are being considered. I was wondering if there has been
> > any conclusion in this front ?
>
> I don't know what link you mean.  There is a clear roadmap, there is
> plenty of work to be done.
>
> > 2. Guest modifying its own cgroup
> > ~~~~~~~~~~~~~~~~~~~~~~~~
> > It appears that from a guest one can mount the cgroup and modify its own
> > constraints specified in the cgroup. Is there a way, I can prevent a
> guest
> > from doing so?
>
> LSM
>
> -serge
>



-- 
Regards,
Sanjay
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110414/cd8a4574/attachment.html>


More information about the lxc-users mailing list