On Mon, May 26, 2014 at 11:32:05AM -0400, Michael H. Warfield wrote: > On Mon, 2014-05-26 at 11:16 +0200, Seth Forshee wrote: > > On Fri, May 23, 2014 at 08:48:25AM +0300, Marian Marinov wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > One question about this patch. > > > > > > Why don't you use the devices cgroup check if the root user in that > > > namespace is allowed to use this device? > > > > > > This way you can be sure that the root in that namespace can not access > > > devices to which the host system did not gave > > > him access to. > > > That might be possible, but I don't want to require something on the > > host to whitelist the device for the container. Then loop would need to > > automatically add the device to devices.allow, which doesn't seem > > desirable to me. But I'm not entirely opposed to the idea if others > > think this is a better way to go. > > I don't see any safe way to avoid it. The host has to be in control of > what devices can and can not be accessed by the container.
Hmm, for testing I've been giving access to 7:* block devices since my containers can't mknod and only see device nodes for loop devices they have access to, but maybe I'm not being sufficiently paranoid. _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
