[Lxc-users] Security in LXC
Fiedler Roman
Roman.Fiedler at ait.ac.at
Tue Jan 31 13:14:33 UTC 2012
> Von: Shweta Shinde [mailto:shwetasshinde24 at gmail.com]
> Gesendet: Dienstag, 31. Januar 2012 13:09
> An: lxc-users at lists.sourceforge.net
> Betreff: [Lxc-users] Security in LXC
>
> Hi everyone,
> I am working on LXC containers for my project. I am interested in the security aspects of LXC.
> What are the security threats from isolation perspective while using containers?
>
> How can we use SELinux to secure container?
> Any information will be very helpful.
To my understanding, lxc without LSM is only useful to separate processes or network traffic for simpler setup/administration, but currently the lxc-separation is not very strict from security point of view. Without LSM and lxc system virtualization, guest root == host root, e.g. via access of /proc/kcore, mem, ...
See http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html
Since I'm not sure, that I could harden a LSM policy, that prevents a guest UID=0 process from accessing anything outside the container (there may be a thousand ways via proc and syscalls, I don't know about), I refrained from using lxc for system virtualization until secure open-source policies are available.
Kind regards,
Roman
More information about the lxc-users
mailing list