[pve-devel] [PATCH pve-container 0/4] container hardening
Wolfgang Bumiller
w.bumiller at proxmox.com
Thu Sep 17 13:06:56 CEST 2015
This series improves container security.
Disk access permission checking still assumed the old 'disk' config
option name and simply passed on rootfs/mp*.
Mountpoints are now "sanitized", must not be symlinks anymore.
Mounts performed for a vzdump process are now unshared from the host.
Wolfgang Bumiller (4):
lxc: use new disk option names in permission check
use sanitize_mountpoint in foreach_mountpoint
mountpoint_mount: disallow symlinks in bind mounts
vzdump:lxc: unshare mount namespace
src/PVE/LXC.pm | 37 +++++++++++++++++++++++++++++++++++--
src/PVE/VZDump/LXC.pm | 22 +++++++---------------
2 files changed, 42 insertions(+), 17 deletions(-)
--
2.1.4
More information about the pve-devel
mailing list