[lxc-users] Unprivileged LXC - proc:mixed vs. proc:rw

Christian Brauner christian at brauner.io
Fri Aug 17 09:41:11 UTC 2018


On Thu, Aug 16, 2018 at 09:07:16PM +0200, Dr. Todor Dimitrov wrote:
> A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?

Yes. Newever LXC versions will always set sys:rw for unpriv containers.

Christian

> 
> Todor
> 
> > On 23. May 2018, at 19:09, Christian Brauner <christian at brauner.io> wrote:
> > 
> > On Wed, May 23, 2018 at 06:13:02PM +0200, Dr. Todor Dimitrov wrote:
> >> Hallo,
> >> 
> >> is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
> > 
> > There's no security benefit for unprivileged containers. They can't
> > change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
> > namespaced it's a bug.
> > 
> > Christian
> > 
> >> 
> >> lxc.mount.auto = proc:mixed
> >> 
> >> vs.
> >> 
> >> lxc.mount.auto = proc:rw
> >> 
> >> Thanks in advance,
> >> Todor
> >> 
> > 
> > 
> > 
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list