> -----Original Message----- > From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] > Sent: Thursday, January 08, 2015 9:03 PM > To: libvir-list@xxxxxxxxxx > Cc: Richard Weinberger; Chen, Hanxiao/陈 晗霄; Daniel P. Berrange > Subject: [PATCH] lxc: Stop mouning /proc and /sys read only > > Mounting parts of /proc and /sys read only provides no security > without user namespaces, since root has privilege to remount > them writable again. When user namepaces are enable, if offers > no security benefit, since the UID remapping already prevents > write access to the correct areas. > --- > src/lxc/lxc_container.c | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) ACK. We also need to do some cleanups in lxcContainerMountBasicFS; also for commit: ba9b7252ea8d87dfa217fb11dc5dadc039176807 Thanks, - Chen -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list