On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote: > Am 13.02.2014 18:16, schrieb Daniel P. Berrange: > > On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: > >> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD > >> to containers. > >> Currently it is not safe to allow a container access to a resource controller. > >> > > > > We *do* want to allow all controllers to be visible to the container. > > eg it is valid for them to have read access to view things like block > > I/O and CPU accounting information. We just don't want to make it writable > > for usernamespaces. > > Okay. But what if one does not enable user namespaces? > Then the controllers are writable within the container. If you don't enable user namespaces, then containers should be considered insecure unless all processes run non-root and all your filesystems are mounted no-setuid to prevent escalation fo privileges back to root, or you have SELinux applying controls. So once ypou have the requirement that security depends on being non-root then the cgroups are no longer writable, except when your consider is already insecure for other reasons. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list