So far, I drop these capabilities in my containers to enhance security: lxc.cap.drop = mac_override lxc.cap.drop = sys_module lxc.cap.drop = sys_boot lxc.cap.drop = sys_admin lxc.cap.drop = sys_time
What about sys_rawio? The problem is, this capability allows access to /proc/kcore Can I drop it or is it necessary for important programs? -- Ullrich Horlacher Informationssysteme und Serverbetrieb Rechenzentrum IZUS/TIK E-Mail: horlac...@tik.uni-stuttgart.de Universitaet Stuttgart Tel: ++49-711-68565868 Allmandring 30a Fax: ++49-711-682357 70550 Stuttgart (Germany) WWW: http://www.tik.uni-stuttgart.de/ REF:<20131024071900.gd12...@rus.uni-stuttgart.de> ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
