[Lxc-users] Security in LXC

Shweta Shinde shwetasshinde24 at gmail.com
Wed Feb 1 05:28:43 UTC 2012


Thanks for your kind response.
As we see Ubuntu is making use of LXC to have virtualization over cloud,
<http://daniil.kulchenko.com/blog/2011/10/virtualization-using-lxc-linux-containers-in-amazon-ec2/>interested
to know any insights about the same.
Is LSM required compulsorily, or can we have some workaround to overcome
/proc issue by limiting the capabilities of containers?

--
Regards,
Shweta




On Tue, Jan 31, 2012 at 6:44 PM, Fiedler Roman <Roman.Fiedler at ait.ac.at>wrote:

> > Von: Shweta Shinde [mailto:shwetasshinde24 at gmail.com]
> > Gesendet: Dienstag, 31. Januar 2012 13:09
> > An: lxc-users at lists.sourceforge.net
> > Betreff: [Lxc-users] Security in LXC
> >
> > Hi everyone,
> > I am working on LXC containers for my project. I am interested in the
> security aspects of LXC.
> > What are the security threats from isolation perspective while using
> containers?
> >
> > How can we use SELinux to secure container?
> > Any information will be very helpful.
>
> To my understanding, lxc without LSM is only useful to separate processes
> or network traffic for simpler setup/administration, but currently the
> lxc-separation is not very strict from security point of view. Without LSM
> and lxc system virtualization, guest root == host root, e.g. via access of
> /proc/kcore, mem, ...
>
> See
> http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html
>
> Since I'm not sure, that I could harden a LSM policy, that prevents a
> guest UID=0 process from accessing anything outside the container (there
> may be a thousand ways via proc and syscalls, I don't know about), I
> refrained from using lxc for system virtualization until secure open-source
> policies are available.
>
> Kind regards,
> Roman
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120201/3cdd9a1b/attachment.html>


More information about the lxc-users mailing list