[Lxc-users] Mitigating LXC Container Evasion?
Robert Kawecki
thewanderer at gim11.pl
Sun Jul 31 15:59:21 UTC 2011
Dnia 2011-07-30, sob o godzinie 21:10 -0400, Matthew Franz pisze:
> Had seen some previous discussions before, but are there any ways to
> mitigate this design vulnerability?
>
> http://blog.bofh.it/debian/id_413
>
> Are there any workarounds?
>
> Thanks,
>
> - mdf
>
The blog post explicitly mounts /sys... Why would you want your
container to even have the capability to mount anything? If possible,
drop CAP_SYS_ADMIN.
More information about the lxc-users
mailing list