[Devel] how to do not allow to mount /cgroup inside container?

Krzysztof Taraszka krzysztof.taraszka at gnuhosting.net
Tue Aug 25 05:17:39 PDT 2009


Hi,

I was looking for possibility to secure lxc container to do not allow 'root
container user'  from changing limits from cgroup. Right now without STACK64
or SELinux he can do this easily.
I read the http://www.ibm.com/developerworks/linux/library/l-lxc-security/cookbook
and decided to use STACK64 kernel mechanism.
Well... mounting cgroup inside container fails (great!, i am looked for that
;)) but networking fails too (interface bring up, sshd bring up, connection
beetween host and container is, but 'mtr', 'ping' even 'apt-get update'
fails and I do not know why). I secure my container exactly like in the
cookbook.

Is there any other possilbility to have secure container without network
problems or any hint now to enable networking with stack64 enabled? If so,
maybe the l-lxc-security cookbook have to updated? Maybe another kernel
patch to do not allow container to mount cgroup when the mount call come
from container?

Any ideas?

-- 
Krzysztof Taraszka
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list