[pve-devel] [PATCH pve-container 0/4] container hardening

Wolfgang Bumiller w.bumiller at proxmox.com
Thu Sep 17 13:06:56 CEST 2015


This series improves container security.
Disk access permission checking still assumed the old 'disk' config
option name and simply passed on rootfs/mp*.
Mountpoints are now "sanitized", must not be symlinks anymore.
Mounts performed for a vzdump process are now unshared from the host.

Wolfgang Bumiller (4):
  lxc: use new disk option names in permission check
  use sanitize_mountpoint in foreach_mountpoint
  mountpoint_mount: disallow symlinks in bind mounts
  vzdump:lxc: unshare mount namespace

 src/PVE/LXC.pm        | 37 +++++++++++++++++++++++++++++++++++--
 src/PVE/VZDump/LXC.pm | 22 +++++++---------------
 2 files changed, 42 insertions(+), 17 deletions(-)

-- 
2.1.4




More information about the pve-devel mailing list