On 09/11/2013 04:56 AM, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > Describe some of the issues to be aware of when configuring LXC > guests with security isolation as a goal. > > Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> > --- > docs/drvlxc.html.in | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 103 insertions(+) > > + > +<p> > +Sharing the host filesystem tree, also allows applications to access > +UNIX domains sockets associated with the host OS, which are in the > +filesystem namespaces. It should be noted that a number of init > +systems including at least <code>systemd</code> and <code>upstart</code> > +have UNIX domain socket which are used to control their operation. > +Thus, if the directory/filesystem holding their UNIX domain socket is > +exposed to the container, it will be possible for a user in the container > +to invoke operations on the init service in the same way it could if > +outside the container. This also applies to other applications in the > +host which use UNIX domain sockets in the filesystem, such as DBus, > +Libvirtd, and many more. If this is not desired, then applications > +should either specify the UID/GID mapping in the configuration to > +enable user namespaces & thus block access to the UNIX domain socket s/&/and/ ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list