[Lxc-users] drop CAP_SYS_RAWIO?
Andreas Laut
andreas.laut at spark5.de
Thu Oct 24 07:31:58 UTC 2013
Hi Ulli,
we've dropped rawio (in due to security reasons) and didn't face any
problems. The lxc host seems to do all of necessary /proc operations. We
also mounted /proc filesystem ro in containers.
Regards,
Andreas
Am 24.10.2013 09:19, schrieb Ulli Horlacher:
> So far, I drop these capabilities in my containers to enhance security:
>
> lxc.cap.drop = mac_override
> lxc.cap.drop = sys_module
> lxc.cap.drop = sys_boot
> lxc.cap.drop = sys_admin
> lxc.cap.drop = sys_time
>
> What about sys_rawio?
> The problem is, this capability allows access to /proc/kcore
> Can I drop it or is it necessary for important programs?
>
More information about the lxc-users
mailing list