2

I was reading about LXC vs OpenVZ and was wondering if this issue has already been solved in more recent updates:

OpenVZ has done quite a good job at this, but LXC still has issues here. Even with AppArmor enabled, in Ubuntu you still have access to dmesg from the guests and /proc/kcore and /proc/sysrq-trigger are still accessible, so a root user in a guest VM could easily restart the host machine. Improvements are planned for Ubuntu version 13.04.

source: http://www.janoszen.com/2013/01/22/lxc-vs-openvz/

Improve this question

2 Answers 2

Reset to default
2

By using echo 1 > /proc/sys/kernel/dmesg_restrict you can restrict the dmesg access to the root user of the host. Other users including the root user in the LXC have then no access.

Improve this answer
3
  • This does not seem to work with linux 3.16.0 here. The setting is there, it is set to 1 afterwards, but the LXC-containers still show the dmesg output. Commented Sep 30, 2015 at 21:29
  • @allo This works probably only for unprivileged container. Commented Oct 1, 2015 at 10:25
  • Ah, that makes sense. Still a problem, because other containers are isolating this better. Commented Oct 2, 2015 at 19:51
1

To disable access to /proc/kcore:

lxc.cap.drop = sys_rawio

To disable access to dmesg load following file using lxc.seccomp option:

 2 blacklist [all] syslog errno 1

Works fine for me on LXC-1.0.6, kernel 4.3.0.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.