On Mon, Oct 13, 2008 at 02:29:21PM -0500, Serge E. Hallyn wrote: > Quoting Dave Hansen (dave@xxxxxxxxxxxxxxxxxx): > > On Mon, 2008-10-13 at 11:01 -0700, Tanaka, Thomas wrote: > > > Yes absolutely that is what I am trying to achieve. > > > > I'm going to put on my Serge hat and bet that you can do it with > > security modules. :) > > Right, your goal is still not very precise, but a security module - > smack or selinux - might be your best bet. > > > There's nothing that cgroups or containers gives you that will help with > > your problem. We actually haven't touched the fs namespaces at all, yet > > because they work great as they stand today. > > No, but there is the device whitelist cgroup and capability bounding > sets - perhaps that is what he is asking about? > > If you have a normal chroot - or a container created with > clone(CLONE_NEWNS) followed by pivot_root into a completely isolated > file system tree (say, created using debootstrap), then a root user in > that pivot_root can simply mount /dev/hda1 /mnt and chroot back into > that. > > So to make the above a little more secure, you can > > 1. restrict the container's device whitelist so that it can't > create or use the devices representing the hard drive. We follow this appraoch & use the device whitelist capability in libvirt's LXC driver now for exactly this purpose. Works quite nicely really. There are still some other holes like a private dev-pts but those are in progress Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers