[Lxc-users] security question

Ulli Horlacher framstag at rus.uni-stuttgart.de
Fri Aug 19 22:54:03 UTC 2011


On Fri 2011-08-19 (15:38), Dong-In David Kang wrote:

> We've found out that inside of an LXC instance, root can insert/remove modules of the host.
> Is it normal?
> If it is doable, an LXC image may corrupt the host system, which is not good in terms of security.

Put:

lxc.cap.drop = sys_module

to your LXC container config file.
And by the way:

lxc.cap.drop = sys_admin

is also a good idea, to prevent that the container root can modify mount
options, for example set the container filesystem to read-only, which can
effect ALL containers!


-- 
Ullrich Horlacher              Server- und Arbeitsplatzsysteme
Rechenzentrum                  E-Mail: horlacher at rus.uni-stuttgart.de
Universitaet Stuttgart         Tel:    ++49-711-685-65868
Allmandring 30                 Fax:    ++49-711-682357
70550 Stuttgart (Germany)      WWW:    http://www.rus.uni-stuttgart.de/




More information about the lxc-users mailing list