[Lxc-users] [Spam-Wahrscheinlichkeit=94]Re: Howto detect the containers host
Papp Tamas
tompos at martos.bme.hu
Thu May 26 21:15:06 UTC 2011
On 05/26/2011 11:06 PM, Daniel Lezcano wrote:
> On 05/26/2011 11:57 AM, Papp Tamas wrote:
>> On 05/26/2011 11:37 AM, Jäkel, Guido wrote:
>>> Papp>I hope a container cannot identify its host.
>>>
>>> You mean that's a concern of security? Why it shouldn't; "security
>>> through obscurity" is never a solution at all, you'll know!
>> Yes, that's true, but this is not the case.
>> Actually lxc at this time not so good in security, so I think, every
>> small hardening step can help a bit.
>>
>> By the way, when will it possible to prohibit a container to read and
>> write the dmesg of the host system?
>> Also what about reading and modifying cgroup settings?
> I am currently working on a prototype based on cgroup to deny access
> to a specific file with a specific operation.
> As soon as finished the POC, I will drop an url to a kernel with this
> feature. I hope some of you will have some interest to shake the code
> a bit and check if it is suitable for all security purposes we want to
> fix.
Very-very good news.
Unfortunately I'm not a developer, but I'm happy to hear this:)
tamas
More information about the lxc-users
mailing list