[Lxc-users] security question
Stéphane Graber
stgraber at ubuntu.com
Fri Aug 19 23:42:16 UTC 2011
On 08/19/2011 03:54 PM, Ulli Horlacher wrote:
> On Fri 2011-08-19 (15:38), Dong-In David Kang wrote:
>
>> We've found out that inside of an LXC instance, root can insert/remove modules of the host.
>> Is it normal?
>> If it is doable, an LXC image may corrupt the host system, which is not good in terms of security.
>
> Put:
>
> lxc.cap.drop = sys_module
>
> to your LXC container config file.
> And by the way:
>
> lxc.cap.drop = sys_admin
>
> is also a good idea, to prevent that the container root can modify mount
> options, for example set the container filesystem to read-only, which can
> effect ALL containers!
So, for a more generic answer:
LXC doesn't pretend to be secure when you run stuff as root inside the
container. The proposed solutions above will restrict what root can do
and so may solve a good part of your issues.
Stuff like "echo b > /proc/sysrq-trigger" will still be possible until
we get the user namespaces (that specific example could be blocked by
some of the security modules though).
Last week during the LXC/container hackfest in Austin, there's been some
good progress being done on the user namespace and so we can hope to
have these eventually implemented in the kernel.
Until then, I'd recommend not running untrusted software as root in a
container. It's perfectly safe to run something as a user though.
For cases where you trust your container user, like development
environments, it's of course fine running stuff as root and I do that
everyday.
Hope that clarifies the current situation :)
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
More information about the lxc-users
mailing list