Re: [Lxc-users] lxc and guest /proc/kcore access restriction
Hi Serge, -Ursprüngliche Nachricht- Von: Serge Hallyn [mailto:serge.hal...@canonical.com] An: Fiedler Roman Cc: lxc-users@lists.sourceforge.net Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hello List, I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized. I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions? * Is secure /proc use (no escape, no major host/container or inter- container info leaks) inside guest possible? ATM I recommend you use an LSM to do that. Thanks for the hint, I'm looking into that. Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with? I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-ContainsS_TACT=105AGX59S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted. Thanks, Roman -- Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc and guest /proc/kcore access restriction
Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hi Serge, -Ursprüngliche Nachricht- Von: Serge Hallyn [mailto:serge.hal...@canonical.com] An: Fiedler Roman Cc: lxc-users@lists.sourceforge.net Betreff: Re: [Lxc-users] lxc and guest /proc/kcore access restriction Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hello List, I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized. I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions? * Is secure /proc use (no escape, no major host/container or inter- container info leaks) inside guest possible? ATM I recommend you use an LSM to do that. Thanks for the hint, I'm looking into that. Is there anyone on this list, who is already using kernel memory isolation between guest and host or between guests? Which LSM variant and configuration is useful? Is there a good base configuration to start with? Yes, check out http://osdir.com/ml/lxc-chroot-linux-containers/2011-08/msg4.html for Olivier using Smack. I don't know of anyone using SELinux, but it should be a snap. I'm using http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html?ca=dgr-lnxw961ELinux-Smack-ContainsS_TACT=105AGX59S_CMP=grsitelnxw961 for a start, but I guess it is a long road until all access to all critical /proc components and syscalls is restricted. In the next few months we hope to have effective (not very flexibile, but effective) apparmor support. Then over the next 6 months after that, more flexibility will be added. (I can say more about the limitations etc, but I suspect as you can't use it right now that's less interesting to you than following up on the Smack usage.) http://wiki.ubuntu.com/LxcSecurity may be of interest. -serge -- Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
Re: [Lxc-users] lxc and guest /proc/kcore access restriction
Quoting Fiedler Roman (roman.fied...@ait.ac.at): Hello List, I have problems finding information about lxc with system virtualization and access restriction to /proc/kcore. In my setup, root in guest can read /proc/kcore, data from host shows up in container kcore, so kcore is not somehow faked/virtualized. I did not find no suitable information about securing /proc use inside container, so perhaps someone could point me to information to these questions? * Is secure /proc use (no escape, no major host/container or inter-container info leaks) inside guest possible? ATM I recommend you use an LSM to do that. -serge -- Systems Optimization Self Assessment Improve efficiency and utilization of IT resources. Drive out cost and improve service delivery. Take 5 minutes to use this Systems Optimization Self Assessment. http://www.accelacomm.com/jaw/sdnl/114/51450054/ ___ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users