[Lxc-users] [Spam-Wahrscheinlichkeit=94]Re: Howto detect the containers host

Daniel Lezcano daniel.lezcano at free.fr
Thu May 26 21:06:00 UTC 2011


On 05/26/2011 11:57 AM, Papp Tamas wrote:
> On 05/26/2011 11:37 AM, Jäkel, Guido wrote:
>> Papp>I hope a container cannot identify its host.
>>
>> You mean that's a concern of security? Why it shouldn't; "security through obscurity" is never a solution at all, you'll know!
> Yes, that's true, but this is not the case.
> Actually lxc at this time not so good in security, so I think, every
> small hardening step can help a bit.
>
> By the way, when will it possible to prohibit a container to read and
> write the dmesg of the host system?
> Also what about reading and modifying cgroup settings?
I am currently working on a prototype based on cgroup to deny access to 
a specific file with a specific operation.
As soon as finished the POC, I will drop an url to a kernel with this 
feature. I hope some of you will have some interest to shake the code a 
bit and check if it is suitable for all security purposes we want to fix.




More information about the lxc-users mailing list