Re: [lxc-users] Unprivileged LXC - proc:mixed vs. proc:rw

Fri, 17 Aug 2018 02:42:02 -0700 

On Thu, Aug 16, 2018 at 09:07:16PM +0200, Dr. Todor Dimitrov wrote:
> A follow-up: I assume the same applies to sys:mixed vs. sys:rw, correct?

Yes. Newever LXC versions will always set sys:rw for unpriv containers.

Christian

> 
> Todor
> 
> > On 23. May 2018, at 19:09, Christian Brauner <[email protected]> wrote:
> > 
> > On Wed, May 23, 2018 at 06:13:02PM +0200, Dr. Todor Dimitrov wrote:
> >> Hallo,
> >> 
> >> is there any security benefit of using proc:mixed inside an unprivileged 
> >> container? Or does proc:rw deliver the same level of isolation?
> > 
> > There's no security benefit for unprivileged containers. They can't
> > change /proc/sys and /proc/sysrq-trigger. If they can and the file isn't
> > namespaced it's a bug.
> > 
> > Christian
> > 
> >> 
> >> lxc.mount.auto = proc:mixed
> >> 
> >> vs.
> >> 
> >> lxc.mount.auto = proc:rw
> >> 
> >> Thanks in advance,
> >> Todor
> >> 
> > 
> > 
> > 
> >> _______________________________________________
> >> lxc-users mailing list
> >> [email protected]
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > 
> > _______________________________________________
> > lxc-users mailing list
> > [email protected]
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> 



> _______________________________________________
> lxc-users mailing list
> [email protected]
> http://lists.linuxcontainers.org/listinfo/lxc-users

_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to