[Lxc-users] Two Questions: UID Privilage Isolation . Prevent cgroup mount in VM

Serge Hallyn serge.hallyn at canonical.com
Thu Apr 14 19:59:23 UTC 2011


Ah.  That looks years old for sure.  This is a more up to date summary:

https://wiki.ubuntu.com/UserNamespace

-serge

Quoting sanjay (genacct412 at gmail.com):
> Hi Serge! Thanks for your help.
> 
> (The link I was referring in original mail:
> http://lxc.sourceforge.net/index.php/about/kernel-namespaces/user/).
> 
> Regards,
> Sanjay
> 
> 
> On Thu, Apr 14, 2011 at 3:19 PM, Serge Hallyn <serge.hallyn at canonical.com>wrote:
> 
> > Quoting sanjay (genacct412 at gmail.com):
> > > Hi! I am new to the technology and thread. I have two basic questions,
> > hope
> > > you can provide some guidance.
> > >
> > > 1. UID Privilege Isolation.
> > > ~~~~~~~~~~~~~~~~~
> > > If I understand it right, currently if a host-uid and guest-uid have the
> > > same numerical value, they essentially have the same file access
> > privilege.
> > > Posting from 01/14/11 indicated that a patchset related to 'user
> > namespace'
> > > is in works to address this issue. Link in the LXC home/user indicated
> > two
> > > possible approach are being considered. I was wondering if there has been
> > > any conclusion in this front ?
> >
> > I don't know what link you mean.  There is a clear roadmap, there is
> > plenty of work to be done.
> >
> > > 2. Guest modifying its own cgroup
> > > ~~~~~~~~~~~~~~~~~~~~~~~~
> > > It appears that from a guest one can mount the cgroup and modify its own
> > > constraints specified in the cgroup. Is there a way, I can prevent a
> > guest
> > > from doing so?
> >
> > LSM
> >
> > -serge
> >
> 
> 
> 
> -- 
> Regards,
> Sanjay




More information about the lxc-users mailing list