-----Original Message----- From: Daniel P. Berrange [mailto:berrange@redhat.com] Sent: Thursday, January 08, 2015 9:03 PM To: libvir-list@redhat.com Cc: Richard Weinberger; Chen, Hanxiao/陈 晗霄; Daniel P. Berrange Subject: [PATCH] lxc: Stop mouning /proc and /sys read only
Mounting parts of /proc and /sys read only provides no security without user namespaces, since root has privilege to remount them writable again. When user namepaces are enable, if offers no security benefit, since the UID remapping already prevents write access to the correct areas. --- src/lxc/lxc_container.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
ACK. We also need to do some cleanups in lxcContainerMountBasicFS; also for commit: ba9b7252ea8d87dfa217fb11dc5dadc039176807 Thanks, - Chen