[Lxc-users] Mitigating LXC Container Evasion?

Robert Kawecki thewanderer at gim11.pl
Sun Jul 31 15:59:21 UTC 2011


Dnia 2011-07-30, sob o godzinie 21:10 -0400, Matthew Franz pisze:
> Had seen some previous discussions before, but are there any ways to
> mitigate this design vulnerability?
> 
> http://blog.bofh.it/debian/id_413
> 
> Are there any workarounds?
> 
> Thanks,
> 
> - mdf
> 

The blog post explicitly mounts /sys... Why would you want your
container to even have the capability to mount anything? If possible,
drop CAP_SYS_ADMIN.





More information about the lxc-users mailing list