[lxc-users] basic security questions

Tamas Papp tompos at martos.bme.hu
Sat Jan 31 15:34:15 UTC 2015


On 01/31/2015 04:19 PM, Tomasz Chmielewski wrote:
> How do I do this?
>
> I've created my container with:
>
> lxc-create --template download --name container-name -B btrfs
>
>
> "man lxc-create" does not contain "priv" string.

Use google.
Acutally the right word is unprivileged:

https://www.google.hu/search?client=ubuntu&channel=fs&q=lxc+non+privileges+container&ie=utf-8&oe=utf-8&gfe_rd=cr&ei=_PTMVKavCZCu8wesr4LIBg#channel=fs&q=lxc+unprivileged+container&spell=1

>
>
>>> 2. lxc containers are able to write to /proc/sysrq-trigger - so can 
>>> technically poweroff the host:
>>>
>>> guest# echo w > /proc/sysrq-trigger
>>> guest# dmesg
>>>
>>>
>>> 3. /proc/kcore? And perhaps anything else which might need blocking 
>>> so that the guest is not able to read data from the host/other guests?
>>
>> These two should be denied by apparmor, unless you run containers with
>> unconfined apparmor profile.
>
> Is it documented anywhere?
>
> Google search for "/proc/kcore site:linuxcontainers.org" does not seem 
> to return any related documentation (though I've seen a similar 
> question sent a few years ago, without any specific answers).

Look at your containers's config file and search for lxc.aa_profile. If 
it isn't there is should be protected by apparmor on Ubuntu by default.
Also take a look here:

/etc/apparmor.d/lxc

In fact I'm not sure about kcore, but sysrq-trigger is protected, I'm 
sure. If not, then something is really wrong on your system.


Cheers,
tamas


More information about the lxc-users mailing list