[Lxc-users] lxc and guest /proc/kcore access restriction

Fiedler Roman Roman.Fiedler at ait.ac.at
Wed Dec 14 10:23:58 UTC 2011


Hi Serge,

> -----Ursprüngliche Nachricht-----
> Von: Serge Hallyn [mailto:serge.hallyn at canonical.com]
> An: Fiedler Roman
> Cc: lxc-users at lists.sourceforge.net
> Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction
> 
> Quoting Fiedler Roman (Roman.Fiedler at ait.ac.at):
> > Hello List,
> >
> > I have problems finding information about lxc with system virtualization
> and access restriction to /proc/kcore. In my setup, root in guest can read
> /proc/kcore, data from host shows up in container kcore, so kcore is not
> somehow faked/virtualized.
> >
> > I did not find no suitable information about securing /proc use inside
> container, so perhaps someone could point me to information to these
> questions?
> >
> > * Is secure /proc use (no escape, no major host/container or inter-
> container info leaks) inside guest possible?
> 
> ATM I recommend you use an LSM to do that.

Thanks for the hint, I'm looking into that.


Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with?

I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-Contains&S_TACT=105AGX59&S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted.

Thanks,
Roman




More information about the lxc-users mailing list