Re: [libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains

Thursday, 16 October 2008

DB> The device whitelisting is all very nice, but we completely forgot
DB> / ignored the fact that there's nothing stopping a container
DB> mounting the cgroups device controller and giving itself the
DB> device access we just took away :-)

Ah, interesting.

DB> So, looks like we need to explicitly set the capabilities of
DB> containers to either mask out CAP_SYS_ADMIN from libvirtd's set,
DB> or construct an explicit capability whitelist

Yeah, I guess so.  I'll start looking into this :)

-- 
Dan Smith
IBM Linux Technology Center
Open Hypervisor Team
email: danms(a)us.ibm.com

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 2 of 2] Use cgroup functions to set resource limits on LXC domains