Re: [Lxc-users] Security in LXC

Tue, 31 Jan 2012 21:31:46 -0800 

Thanks for your kind response.
As we see Ubuntu is making use of LXC to have virtualization over cloud,
<http://daniil.kulchenko.com/blog/2011/10/virtualization-using-lxc-linux-containers-in-amazon-ec2/>interested
to know any insights about the same.
Is LSM required compulsorily, or can we have some workaround to overcome
/proc issue by limiting the capabilities of containers?

--
Regards,
Shweta




On Tue, Jan 31, 2012 at 6:44 PM, Fiedler Roman <roman.fied...@ait.ac.at>wrote:

> > Von: Shweta Shinde [mailto:shwetasshind...@gmail.com]
> > Gesendet: Dienstag, 31. Januar 2012 13:09
> > An: lxc-users@lists.sourceforge.net
> > Betreff: [Lxc-users] Security in LXC
> >
> > Hi everyone,
> > I am working on LXC containers for my project. I am interested in the
> security aspects of LXC.
> > What are the security threats from isolation perspective while using
> containers?
> >
> > How can we use SELinux to secure container?
> > Any information will be very helpful.
>
> To my understanding, lxc without LSM is only useful to separate processes
> or network traffic for simpler setup/administration, but currently the
> lxc-separation is not very strict from security point of view. Without LSM
> and lxc system virtualization, guest root == host root, e.g. via access of
> /proc/kcore, mem, ...
>
> See
> http://www.mail-archive.com/lxc-users@lists.sourceforge.net/msg03039.html
>
> Since I'm not sure, that I could harden a LSM policy, that prevents a
> guest UID=0 process from accessing anything outside the container (there
> may be a thousand ways via proc and syscalls, I don't know about), I
> refrained from using lxc for system virtualization until secure open-source
> policies are available.
>
> Kind regards,
> Roman
>

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to