[libvirt] [PATCH] lxc: Stop mouning /proc and /sys read only

Chen, Hanxiao chenhanxiao at cn.fujitsu.com
Fri Jan 9 04:14:58 UTC 2015

> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: Thursday, January 08, 2015 9:03 PM
> To: libvir-list at redhat.com
> Cc: Richard Weinberger; Chen, Hanxiao/陈 晗霄; Daniel P. Berrange
> Subject: [PATCH] lxc: Stop mouning /proc and /sys read only
> Mounting parts of /proc and /sys read only provides no security
> without user namespaces, since root has privilege to remount
> them writable again. When user namepaces are enable, if offers
> no security benefit, since the UID remapping already prevents
> write access to the correct areas.
> ---
>  src/lxc/lxc_container.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)


We also need to do some cleanups in lxcContainerMountBasicFS;
also for commit:


- Chen

More information about the libvir-list mailing list