[lxc-users] Unprivileged LXC - proc:mixed vs. proc:rw

Dr. Todor Dimitrov dimitrov at technology.de
Thu Aug 16 19:07:16 UTC 2018


A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?

Todor

> On 23. May 2018, at 19:09, Christian Brauner <christian at brauner.io> wrote:
> 
> On Wed, May 23, 2018 at 06:13:02PM +0200, Dr. Todor Dimitrov wrote:
>> Hallo,
>> 
>> is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
> 
> There's no security benefit for unprivileged containers. They can't
> change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
> namespaced it's a bug.
> 
> Christian
> 
>> 
>> lxc.mount.auto = proc:mixed
>> 
>> vs.
>> 
>> lxc.mount.auto = proc:rw
>> 
>> Thanks in advance,
>> Todor
>> 
> 
> 
> 
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3844 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180816/baca2832/attachment.bin>


More information about the lxc-users mailing list