Am 14.02.2014 11:30, schrieb Daniel P. Berrange: > On Fri, Feb 14, 2014 at 08:49:07AM +0100, Richard Weinberger wrote: >> Am 13.02.2014 18:16, schrieb Daniel P. Berrange: >>> On Tue, Feb 11, 2014 at 11:51:26PM +0100, Richard Weinberger wrote: >>>> Due to security concerns we delegate only VIR_CGROUP_CONTROLLER_SYSTEMD >>>> to containers. >>>> Currently it is not safe to allow a container access to a resource controller. >>>> >>> >>> We *do* want to allow all controllers to be visible to the container. >>> eg it is valid for them to have read access to view things like block >>> I/O and CPU accounting information. We just don't want to make it writable >>> for usernamespaces. >> >> Okay. But what if one does not enable user namespaces? >> Then the controllers are writable within the container. > > If you don't enable user namespaces, then containers should be considered > insecure unless all processes run non-root and all your filesystems are > mounted no-setuid to prevent escalation fo privileges back to root, or you > have SELinux applying controls. Yeah, I hope all users know that too. Do you plan to support non-user namespace container in future? Maybe one should communicate this to docker.io folks as well. *scnr* > So once ypou have the requirement that security depends on being non-root > then the cgroups are no longer writable, except when your consider is > already insecure for other reasons. Yep. Thanks, //richard -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list