[lxc-users] basic security questions
Tamas Papp
tompos at martos.bme.hu
Sat Jan 31 15:34:15 UTC 2015
On 01/31/2015 04:19 PM, Tomasz Chmielewski wrote:
> How do I do this?
>
> I've created my container with:
>
> lxc-create --template download --name container-name -B btrfs
>
>
> "man lxc-create" does not contain "priv" string.
Use google.
Acutally the right word is unprivileged:
https://www.google.hu/search?client=ubuntu&channel=fs&q=lxc+non+privileges+container&ie=utf-8&oe=utf-8&gfe_rd=cr&ei=_PTMVKavCZCu8wesr4LIBg#channel=fs&q=lxc+unprivileged+container&spell=1
>
>
>>> 2. lxc containers are able to write to /proc/sysrq-trigger - so can
>>> technically poweroff the host:
>>>
>>> guest# echo w > /proc/sysrq-trigger
>>> guest# dmesg
>>>
>>>
>>> 3. /proc/kcore? And perhaps anything else which might need blocking
>>> so that the guest is not able to read data from the host/other guests?
>>
>> These two should be denied by apparmor, unless you run containers with
>> unconfined apparmor profile.
>
> Is it documented anywhere?
>
> Google search for "/proc/kcore site:linuxcontainers.org" does not seem
> to return any related documentation (though I've seen a similar
> question sent a few years ago, without any specific answers).
Look at your containers's config file and search for lxc.aa_profile. If
it isn't there is should be protected by apparmor on Ubuntu by default.
Also take a look here:
/etc/apparmor.d/lxc
In fact I'm not sure about kcore, but sysrq-trigger is protected, I'm
sure. If not, then something is really wrong on your system.
Cheers,
tamas
More information about the lxc-users
mailing list