[lxc-users] basic security questions
Tomasz Chmielewski
mangoo at wpkg.org
Sat Jan 31 15:19:09 UTC 2015
On 2015-02-01 00:01, Tamas Papp wrote:
> On 01/31/2015 03:46 PM, Tomasz Chmielewski wrote:
>> I was wondering what is the best way to employ some basic security for
>> lxc containers.
>>
>> On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
>>
>> 1. root user in lxc containers is able to view dmesg, even with:
>>
>> host# cat /proc/sys/kernel/dmesg_restrict
>> 1
>
> Use non-privileges containers.
How do I do this?
I've created my container with:
lxc-create --template download --name container-name -B btrfs
"man lxc-create" does not contain "priv" string.
>> 2. lxc containers are able to write to /proc/sysrq-trigger - so can
>> technically poweroff the host:
>>
>> guest# echo w > /proc/sysrq-trigger
>> guest# dmesg
>>
>>
>> 3. /proc/kcore? And perhaps anything else which might need blocking so
>> that the guest is not able to read data from the host/other guests?
>
> These two should be denied by apparmor, unless you run containers with
> unconfined apparmor profile.
Is it documented anywhere?
Google search for "/proc/kcore site:linuxcontainers.org" does not seem
to return any related documentation (though I've seen a similar question
sent a few years ago, without any specific answers).
--
Tomasz Chmielewski
http://www.sslrack.com
More information about the lxc-users
mailing list