From 96988a37f52b65e8b703b6c2de138c34486215ad Mon Sep 17 00:00:00 2001 From: globalcitizen Date: Thu, 20 Jun 2013 00:37:08 +0700 Subject: [PATCH 1/2] Add healthy procfs/sysfs warnings --- lxc_template.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lxc_template.go b/lxc_template.go index 3d102a5a2e..4cca083828 100644 --- a/lxc_template.go +++ b/lxc_template.go @@ -67,7 +67,11 @@ lxc.cgroup.devices.allow = c 10:200 rwm # standard mount point +# WARNING: procfs is a known attack vector and should probably be disabled +# if your userspace allows it. eg. see http://blog.zx2c4.com/749 lxc.mount.entry = proc {{$ROOTFS}}/proc proc nosuid,nodev,noexec 0 0 +# WARNING: sysfs is a known attack vector and should probably be disabled +# if your userspace allows it. eg. see http://bit.ly/T9CkqJ lxc.mount.entry = sysfs {{$ROOTFS}}/sys sysfs nosuid,nodev,noexec 0 0 lxc.mount.entry = devpts {{$ROOTFS}}/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0 #lxc.mount.entry = varrun {{$ROOTFS}}/var/run tmpfs mode=755,size=4096k,nosuid,nodev,noexec 0 0 From 788d66f409ce3a7e464bbb68d909960648f2515c Mon Sep 17 00:00:00 2001 From: globalcitizen Date: Thu, 20 Jun 2013 00:39:35 +0700 Subject: [PATCH 2/2] Add note about lxc.cap.keep > lxc.cap.drop --- lxc_template.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lxc_template.go b/lxc_template.go index 4cca083828..45408d4bfb 100644 --- a/lxc_template.go +++ b/lxc_template.go @@ -90,6 +90,9 @@ lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,rw 0 0 {{end}} # drop linux capabilities (apply mainly to the user root in the container) +# (Note: 'lxc.cap.keep' is coming soon and should replace this under the +# security principle 'deny all unless explicitly permitted', see +# http://sourceforge.net/mailarchive/message.php?msg_id=31054627 ) lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config # limits