[libvirt] [PATCH] lxc: Stop mouning /proc and /sys read only
Chen, Hanxiao
chenhanxiao at cn.fujitsu.com
Fri Jan 9 04:14:58 UTC 2015
> -----Original Message-----
> From: Daniel P. Berrange [mailto:berrange at redhat.com]
> Sent: Thursday, January 08, 2015 9:03 PM
> To: libvir-list at redhat.com
> Cc: Richard Weinberger; Chen, Hanxiao/陈 晗霄; Daniel P. Berrange
> Subject: [PATCH] lxc: Stop mouning /proc and /sys read only
>
> Mounting parts of /proc and /sys read only provides no security
> without user namespaces, since root has privilege to remount
> them writable again. When user namepaces are enable, if offers
> no security benefit, since the UID remapping already prevents
> write access to the correct areas.
> ---
> src/lxc/lxc_container.c | 15 +++++++++++----
> 1 file changed, 11 insertions(+), 4 deletions(-)
ACK.
We also need to do some cleanups in lxcContainerMountBasicFS;
also for commit:
ba9b7252ea8d87dfa217fb11dc5dadc039176807
Thanks,
- Chen
More information about the libvir-list
mailing list