[Lxc-users] Mitigating LXC Container Evasion?

root root at srvweb.net.caen
Sun Jul 31 14:58:15 UTC 2011


On Sat, Jul 30, 2011 at 09:10:33PM -0400, Matthew Franz wrote:
> Had seen some previous discussions before, but are there any ways to
> mitigate this design vulnerability?
> 
> http://blog.bofh.it/debian/id_413
> 
> Are there any workarounds?
> 
> Thanks,
> 
> - mdf
> 
> -- 
> --
> Matthew Franz
> mdfranz at gmail.com
> 
> ------------------------------------------------------------------------------
> Got Input?   Slashdot Needs You.
> Take our quick survey online.  Come on, we don't ask for help often.
> Plus, you'll get a chance to win $100 to spend on ThinkGeek.
> http://p.sf.net/sfu/slashdot-survey
> _______________________________________________
> Lxc-users mailing list
> Lxc-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-users
> 

Hello,

If you modify the container's config file like this:

lxc.mount.entry=sysfs /usr/local/var/lib/lxc/lxc6/rootfs/sys sysfs ro,defaults  0 0

you can't write to /sys. 

Patrick





More information about the lxc-users mailing list