Quoting Fiedler Roman (roman.fied...@ait.ac.at): > Hi Serge, > > > -----Ursprüngliche Nachricht----- > > Von: Serge Hallyn [mailto:serge.hal...@canonical.com] > > An: Fiedler Roman > > Cc: lxc-users@lists.sourceforge.net > > Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction > > > > Quoting Fiedler Roman (roman.fied...@ait.ac.at): > > > Hello List, > > > > > > I have problems finding information about lxc with system virtualization > > and access restriction to /proc/kcore. In my setup, root in guest can read > > /proc/kcore, data from host shows up in container kcore, so kcore is not > > somehow faked/virtualized. > > > > > > I did not find no suitable information about securing /proc use inside > > container, so perhaps someone could point me to information to these > > questions? > > > > > > * Is secure /proc use (no escape, no major host/container or inter- > > container info leaks) inside guest possible? > > > > ATM I recommend you use an LSM to do that. > > Thanks for the hint, I'm looking into that. > > > Is there anyone on this list, who is already using kernel memory isolation > between guest and host or between guests? Which LSM variant and configuration > is useful? Is there a good base configuration to start with?
Yes, check out http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg00004.html for Olivier using Smack. I don't know of anyone using SELinux, but it should be a snap. > I'm using > http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-Contains&S_TACT=105AGX59&S_CMP=grsitelnxw961 > for a start, but I guess it is a long road until all access to all critical > /proc components and syscalls is restricted. In the next few months we hope to have effective (not very flexibile, but effective) apparmor support. Then over the next 6 months after that, more flexibility will be added. (I can say more about the limitations etc, but I suspect as you can't use it right now that's less interesting to you than following up on the Smack usage.) http://wiki.ubuntu.com/LxcSecurity may be of interest. -serge ------------------------------------------------------------------------------ Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users