[Lxc-users] Mitigating LXC Container Evasion?

Matthew Franz mdfranz at gmail.com
Sun Jul 31 15:06:00 UTC 2011


Patrick/Oliver,

Thanks for the quick response. As a security guy I hate it when folks
post weaknesses without providing (or taking the time to investigate)
workarounds.

And there seems to be a lot of FUD out there on the blogs regarding
OpenVZ vs. LXC.  :(

- mdf

On Sun, Jul 31, 2011 at 10:58 AM, root <root at srvweb.net.caen> wrote:
> On Sat, Jul 30, 2011 at 09:10:33PM -0400, Matthew Franz wrote:
>> Had seen some previous discussions before, but are there any ways to
>> mitigate this design vulnerability?
>>
>> http://blog.bofh.it/debian/id_413
>>
>> Are there any workarounds?
>>
>> Thanks,
>>
>> - mdf
>>
>> --
>> --
>> Matthew Franz
>> mdfranz at gmail.com
>>
>> ------------------------------------------------------------------------------
>> Got Input?   Slashdot Needs You.
>> Take our quick survey online.  Come on, we don't ask for help often.
>> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
>> http://p.sf.net/sfu/slashdot-survey
>> _______________________________________________
>> Lxc-users mailing list
>> Lxc-users at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/lxc-users
>>
>
> Hello,
>
> If you modify the container's config file like this:
>
> lxc.mount.entry=sysfs /usr/local/var/lib/lxc/lxc6/rootfs/sys sysfs ro,defaults  0 0
>
> you can't write to /sys.
>
> Patrick
>
>



-- 
--
Matthew Franz
mdfranz at gmail.com




More information about the lxc-users mailing list