[lxc-users] basic security questions

Tamas Papp tompos at martos.bme.hu
Sat Jan 31 15:01:10 UTC 2015


On 01/31/2015 03:46 PM, Tomasz Chmielewski wrote:
> I was wondering what is the best way to employ some basic security for 
> lxc containers.
>
> On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
>
> 1. root user in lxc containers is able to view dmesg, even with:
>
> host# cat /proc/sys/kernel/dmesg_restrict
> 1

Use non-privileges containers.

> 2. lxc containers are able to write to /proc/sysrq-trigger - so can 
> technically poweroff the host:
>
> guest# echo w > /proc/sysrq-trigger
> guest# dmesg
>
>
> 3. /proc/kcore? And perhaps anything else which might need blocking so 
> that the guest is not able to read data from the host/other guests?

These two should be denied by apparmor, unless you run containers with 
unconfined apparmor profile.


cheers,
tamas


More information about the lxc-users mailing list