On Fri, Apr 5, 2019 at 12:36 PM Andrey Ignatov <rdna@xxxxxx> wrote: > Containerized applications may run as root and it may create problems > for whole host. Specifically such applications may change a sysctl and > affect applications in other containers. > > Furthermore in existing infrastructure it may not be possible to just > completely disable writing to sysctl, instead such a process should be > gradual with ability to log what sysctl are being changed by a > container, investigate, limit the set of writable sysctl to currently > used ones (so that new ones can not be changed) and eventually reduce > this set to zero. Actual-root-in-a-container is pretty powerful. What about module loading, or /dev files? Instead of sysctl-specific hooks, what about VFS hooks, which would be able to cover all file-based APIs. This is what, for example, Landlock was working on doing (also with eBPF). -- Kees Cook
