[Lxc-users] Mitigating LXC Container Evasion?

Andre Nathan andre at digirati.com.br
Mon Aug 1 12:27:57 UTC 2011


Hi Olivier

On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
> Furthermore system has SMACK enabled - Simplified Mandatory Access
> Control - a label based MAC.
> Each LXC container has its files and processes labeled differently -
> Labels which can't write the host system default label, so basically a
> root in a container can't make anything harmfull on the host system.
> Same can be achieved _less easily_ with Selinux - Look at IBM papers.

Would you mind sharing your SMACK setup?

Also, do you know how this applies to bind-mounted directories? Can I
label a container's files when they are read-only bind-mounted from the
host?

Thanks,
Andre





More information about the lxc-users mailing list