[Lxc-users] Mitigating LXC Container Evasion?
Andre Nathan
andre at digirati.com.br
Mon Aug 1 12:27:57 UTC 2011
Hi Olivier
On Sun, 2011-07-31 at 16:42 +0200, Mauras Olivier wrote:
> Furthermore system has SMACK enabled - Simplified Mandatory Access
> Control - a label based MAC.
> Each LXC container has its files and processes labeled differently -
> Labels which can't write the host system default label, so basically a
> root in a container can't make anything harmfull on the host system.
> Same can be achieved _less easily_ with Selinux - Look at IBM papers.
Would you mind sharing your SMACK setup?
Also, do you know how this applies to bind-mounted directories? Can I
label a container's files when they are read-only bind-mounted from the
host?
Thanks,
Andre
More information about the lxc-users
mailing list