[Lxc-users] lxc and guest /proc/kcore access restriction

Serge Hallyn serge.hallyn at canonical.com
Wed Dec 14 15:08:03 UTC 2011


Quoting Fiedler Roman (Roman.Fiedler at ait.ac.at):
> Hi Serge,
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Serge Hallyn [mailto:serge.hallyn at canonical.com]
> > An: Fiedler Roman
> > Cc: lxc-users at lists.sourceforge.net
> > Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction
> > 
> > Quoting Fiedler Roman (Roman.Fiedler at ait.ac.at):
> > > Hello List,
> > >
> > > I have problems finding information about lxc with system virtualization
> > and access restriction to /proc/kcore. In my setup, root in guest can read
> > /proc/kcore, data from host shows up in container kcore, so kcore is not
> > somehow faked/virtualized.
> > >
> > > I did not find no suitable information about securing /proc use inside
> > container, so perhaps someone could point me to information to these
> > questions?
> > >
> > > * Is secure /proc use (no escape, no major host/container or inter-
> > container info leaks) inside guest possible?
> > 
> > ATM I recommend you use an LSM to do that.
> 
> Thanks for the hint, I'm looking into that.
> 
> 
> Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with?

Yes, check out

http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg00004.html

for Olivier using Smack.  I don't know of anyone using SELinux, but it
should be a snap.


> I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-Contains&S_TACT=105AGX59&S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted.

In the next few months we hope to have effective (not very flexibile, but
effective) apparmor support.  Then over the next 6 months after that, more
flexibility will be added.  (I can say more about the limitations etc, but
I suspect as you can't use it right now that's less interesting to you
than following up on the Smack usage.) http://wiki.ubuntu.com/LxcSecurity
may be of interest.

-serge




More information about the lxc-users mailing list