| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Oct 2011 23:25:23 -0400 From: Ted Ts'o <tytso@....edu> To: Matt Helsley <matthltc@...ibm.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Lennart Poettering <mzxreary@...inter.de>, Kay Sievers <kay.sievers@...y.org>, linux-kernel@...r.kernel.org, harald@...hat.com, david@...ar.dk, greg@...ah.com, Linux Containers <containers@...ts.osdl.org>, Linux Containers <lxc-devel@...ts.sourceforge.net>, "Serge E. Hallyn" <serge@...lyn.com>, Daniel Lezcano <daniel.lezcano@...e.fr>, Paul Menage <paul@...lmenage.org> Subject: Re: Detecting if you are running in a container On Mon, Oct 10, 2011 at 07:05:30PM -0700, Matt Helsley wrote: > Yes, it does detract from the unique advantages of using a container. > However, I think the value here is not the effeciency of the initial > system configuration but the fact that it gives users a better place to > start. > > Right now we're effectively asking users to start with non-working > and/or unfamiliar systems and repair them until they work. If things are not working with containers, I would submit to you that we're doing something wrong(tm). Things should just work, except that processes in one container can't use more than their fair share (as dictated by policy) of memory, CPU, networking, and I/O bandwidth. Something which is baked in my world view of containers (which I suspect is not shared by other people who are interested in using containers) is that given that kernel is shared, trying to use containers to provide better security isolation between mutually suspicious users is hopeless. That is, it's pretty much impossible to prevent a user from finding one or more zero day local privilege escalation bugs that will allow a user to break root. And at that point, they will be able to penetrate the kernel, and from there, break security of other processes. So if you want that kind of security isolation, you shouldn't be using containers in the first place. You should be using KVM or Xen, and then only after spending a huge amount of effort fuzz testing the KVM/Xen paravirtualization interfaces. So at least in my mind, adding vast amounts of complexities to try to provide security isolation via containers is really not worth it. And if that's the model, then it's a lot easier to make containers to run jobs in containers that don't require changes to the distro plus huge increase of complexity for containers in the kernel.... - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists