Re: how to do not allow to mount /cgroup inside container?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Krzysztof Taraszka wrote:
> Hi,
>
> I was looking for possibility to secure lxc container to do not allow 'root
> container user'  from changing limits from cgroup. Right now without STACK64
> or SELinux he can do this easily.
> I read the http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
> and decided to use STACK64 kernel mechanism.
> Well... mounting cgroup inside container fails (great!, i am looked for that
> ;)) but networking fails too (interface bring up, sshd bring up, connection
> beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
> fails and I do not know why). I secure my container exactly like in the
> cookbook.
>
> Is there any other possilbility to have secure container without network
> problems or any hint now to enable networking with stack64 enabled? If so,
> maybe the l-lxc-security cookbook have to updated? Maybe another kernel
> patch to do not allow container to mount cgroup when the mount call come
> from container?
>
> Any ideas?
>   
I think Serge can help you on this area (Cc'ed).
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers

[Index of Archives]     [Cgroups]     [Netdev]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux