Re: [libvirt] [PATCH] lxc: Stop mouning /proc and /sys read only

-----Original Message----- From: Daniel P. Berrange [mailto:berrange@redhat.com] Sent: Thursday, January 08, 2015 9:03 PM To: libvir-list(a)redhat.com Cc: Richard Weinberger; Chen, Hanxiao/陈 晗霄; Daniel P. Berrange Subject: [PATCH] lxc: Stop mouning /proc and /sys read only Mounting parts of /proc and /sys read only provides no security without user namespaces, since root has privilege to remount them writable again. When user namepaces are enable, if offers no security benefit, since the UID remapping already prevents write access to the correct areas. --- src/lxc/lxc_container.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)