Denis Rizaev | 27 Aug 17:52 2010
Picon

cgroup isolation

Hi folks.

I tried to mount cgroup fs in container and was surprised that i can see all cgroups tree. Also i can modify limits for my container and others!!
In my opinion container should see only it's own level of cgroup, not whole tree.
Is it fundamental design flaw, or i missed something?
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Lxc-devel mailing list
Lxc-devel@...
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Daniel Lezcano | 30 Aug 15:50 2010
Picon

Re: cgroup isolation

On 08/27/2010 05:52 PM, Denis Rizaev wrote:
> Hi folks.
> I tried to mount cgroup fs in container and was surprised that i can see all
> cgroups tree. Also i can modify limits for my container and others!!
> In my opinion container should see only it's own level of cgroup, not whole
> tree.
> Is it fundamental design flaw, or i missed something?
>    
I think this is something you can prevent with SMACK.

There is a documentation here :

http://www.ibm.com/developerworks/linux/library/l-lxc-security/

I am not expert in this area, so I don't have too much to say :)
Serge (the author of the document) knows much more than me on this.

Thanks
   -- Daniel

------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users 
worldwide. Take advantage of special opportunities to increase revenue and 
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d

Gmane