[lxc-users] basic security questions

Tomasz Chmielewski mangoo at wpkg.org
Sat Jan 31 15:19:09 UTC 2015


On 2015-02-01 00:01, Tamas Papp wrote:
> On 01/31/2015 03:46 PM, Tomasz Chmielewski wrote:
>> I was wondering what is the best way to employ some basic security for 
>> lxc containers.
>> 
>> On the host, I'm running Ubuntu 14.04, lxc 1.0.7 with kernel 3.18.5.
>> 
>> 1. root user in lxc containers is able to view dmesg, even with:
>> 
>> host# cat /proc/sys/kernel/dmesg_restrict
>> 1
> 
> Use non-privileges containers.

How do I do this?

I've created my container with:

lxc-create --template download --name container-name -B btrfs


"man lxc-create" does not contain "priv" string.


>> 2. lxc containers are able to write to /proc/sysrq-trigger - so can 
>> technically poweroff the host:
>> 
>> guest# echo w > /proc/sysrq-trigger
>> guest# dmesg
>> 
>> 
>> 3. /proc/kcore? And perhaps anything else which might need blocking so 
>> that the guest is not able to read data from the host/other guests?
> 
> These two should be denied by apparmor, unless you run containers with
> unconfined apparmor profile.

Is it documented anywhere?

Google search for "/proc/kcore site:linuxcontainers.org" does not seem 
to return any related documentation (though I've seen a similar question 
sent a few years ago, without any specific answers).

-- 
Tomasz Chmielewski
http://www.sslrack.com



More information about the lxc-users mailing list