[lxc-users] basic security questions
Tamas Papp
tompos at martos.bme.hu
Sat Jan 31 15:01:10 UTC 2015
On 01/31/2015 03:46 PM, Tomasz Chmielewski wrote:
> I was wondering what is the best way to employ some basic security for
> lxc containers.
>
> On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
>
> 1. root user in lxc containers is able to view dmesg, even with:
>
> host# cat /proc/sys/kernel/dmesg_restrict
> 1
Use non-privileges containers.
> 2. lxc containers are able to write to /proc/sysrq-trigger - so can
> technically poweroff the host:
>
> guest# echo w > /proc/sysrq-trigger
> guest# dmesg
>
>
> 3. /proc/kcore? And perhaps anything else which might need blocking so
> that the guest is not able to read data from the host/other guests?
These two should be denied by apparmor, unless you run containers with
unconfined apparmor profile.
cheers,
tamas
More information about the lxc-users
mailing list