Discussion:
Unprivileged LXC - proc:mixed vs. proc:rw
(too old to reply)
Dr. Todor Dimitrov
2018-05-23 16:13:02 UTC
Permalink
Hallo,

is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?

lxc.mount.auto = proc:mixed

vs.

lxc.mount.auto = proc:rw

Thanks in advance,
Todor
Christian Brauner
2018-05-23 17:09:48 UTC
Permalink
Post by Dr. Todor Dimitrov
Hallo,
is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
There's no security benefit for unprivileged containers. They can't
change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
namespaced it's a bug.

Christian
Post by Dr. Todor Dimitrov
lxc.mount.auto = proc:mixed
vs.
lxc.mount.auto = proc:rw
Thanks in advance,
Todor
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Dr. Todor Dimitrov
2018-08-16 19:07:16 UTC
Permalink
A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?

Todor
Post by Christian Brauner
Post by Dr. Todor Dimitrov
Hallo,
is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
There's no security benefit for unprivileged containers. They can't
change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
namespaced it's a bug.
Christian
Post by Dr. Todor Dimitrov
lxc.mount.auto = proc:mixed
vs.
lxc.mount.auto = proc:rw
Thanks in advance,
Todor
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Christian Brauner
2018-08-17 09:41:11 UTC
Permalink
Post by Dr. Todor Dimitrov
A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?
Yes. Newever LXC versions will always set sys:rw for unpriv containers.

Christian
Post by Dr. Todor Dimitrov
Todor
Post by Christian Brauner
Post by Dr. Todor Dimitrov
Hallo,
is there any security benefit of using proc:mixed inside an unprivileged container? Or does proc:rw deliver the same level of isolation?
There's no security benefit for unprivileged containers. They can't
change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
namespaced it's a bug.
Christian
Post by Dr. Todor Dimitrov
lxc.mount.auto = proc:mixed
vs.
lxc.mount.auto = proc:rw
Thanks in advance,
Todor
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Continue reading on narkive:
Loading...