[lxc-users] Unprivileged LXC - proc:mixed vs. proc:rw
Christian Brauner
christian at brauner.io
Fri Aug 17 09:41:11 UTC 2018
On Thu, Aug 16, 2018 at 09:07:16PM +0200, Dr. Todor Dimitrov wrote:
> A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?
Yes. Newever LXC versions will always set sys:rw for unpriv containers.
Christian
>
> Todor
>
> > On 23. May 2018, at 19:09, Christian Brauner <christian at brauner.io> wrote:
> >
> > On Wed, May 23, 2018 at 06:13:02PM +0200, Dr. Todor Dimitrov wrote:
> >> Hallo,
> >>
> >> is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
> >
> > There's no security benefit for unprivileged containers. They can't
> > change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
> > namespaced it's a bug.
> >
> > Christian
> >
> >>
> >> lxc.mount.auto = proc:mixed
> >>
> >> vs.
> >>
> >> lxc.mount.auto = proc:rw
> >>
> >> Thanks in advance,
> >> Todor
> >>
> >
> >
> >
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list