Quoting Dietmar Maurer (diet...@proxmox.com): > seems directory /sys/fs/cgroup/cgmanager is directly mounted from host, so any > container > can simply remove the cgmanager socket on the host from inside the container: > > # rm /sys/fs/cgroup/cgmanager/sock > > I guess this should not be possible?
It's not possible from a user-namespaced container. For a container where root is root, the only thing I can think of that would prevent this is selinux, maybe smack. Sadly there is no way with apparmor to say "you may not delete /a/b but you may write to /a/b". The reason we did it this way instead of just binding in the sock itself is because if cgmanager restarts, this allows all containers to continue and just pick up the new socket. Binding in the socket itself would make umount+rm in the container innocuous, but a cgmanager restart would be problematic in the container. _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel