[lxc-users] Unprivileged LXC - proc:mixed vs. proc:rw
Dr. Todor Dimitrov
dimitrov at technology.de
Thu Aug 16 19:07:16 UTC 2018
A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?
Todor
> On 23. May 2018, at 19:09, Christian Brauner <christian at brauner.io> wrote:
>
> On Wed, May 23, 2018 at 06:13:02PM +0200, Dr. Todor Dimitrov wrote:
>> Hallo,
>>
>> is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
>
> There's no security benefit for unprivileged containers. They can't
> change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
> namespaced it's a bug.
>
> Christian
>
>>
>> lxc.mount.auto = proc:mixed
>>
>> vs.
>>
>> lxc.mount.auto = proc:rw
>>
>> Thanks in advance,
>> Todor
>>
>
>
>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3844 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180816/baca2832/attachment.bin>
More information about the lxc-users
mailing list