[Lxc-users] drop CAP_SYS_RAWIO?
Ulli Horlacher
framstag at rus.uni-stuttgart.de
Thu Oct 24 07:19:00 UTC 2013
So far, I drop these capabilities in my containers to enhance security:
lxc.cap.drop = mac_override
lxc.cap.drop = sys_module
lxc.cap.drop = sys_boot
lxc.cap.drop = sys_admin
lxc.cap.drop = sys_time
What about sys_rawio?
The problem is, this capability allows access to /proc/kcore
Can I drop it or is it necessary for important programs?
--
Ullrich Horlacher Informationssysteme und Serverbetrieb
Rechenzentrum IZUS/TIK E-Mail: horlacher at tik.uni-stuttgart.de
Universitaet Stuttgart Tel: ++49-711-68565868
Allmandring 30a Fax: ++49-711-682357
70550 Stuttgart (Germany) WWW: http://www.tik.uni-stuttgart.de/
REF:<20131024071900.GD12072 at rus.uni-stuttgart.de>
More information about the lxc-users
mailing list