Re: [libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains

Thursday, 16 October 2008

DB> So if that source code comment is correct, all we need todo is set
DB> a deny-all rule in that intermediate 'lxc' cgroup, and then
DB> containers will not be able to get access back, even if they have
DB> CAP_SYS_ADMIN

Even if I make the per-driver group have a deny-all policy, I can
still add arbitrary items to devices.allow and gain access from a
subgroup.  So, I think we're going to need to restrict CAP_SYS_ADMIN
if we really want isolation, but I'm not sure what else that is likely
to break.

-- 
Dan Smith
IBM Linux Technology Center
Open Hypervisor Team
email: danms(a)us.ibm.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains