From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Hansen Subject: Re: Building a SECURE cointainer using Cgroups ? Date: Mon, 13 Oct 2008 10:54:56 -0700 Message-ID: <1223920496.29877.22.camel@nimitz> References: <0A97A441BFADC74EA1E299A79C69DF9212D3F6C9E2@orsmsx504.amr.corp.intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <0A97A441BFADC74EA1E299A79C69DF9212D3F6C9E2-osO9UTpF0UQ64kNsxIetb7fspsVTdybXVpNB7YpNyf8@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Tanaka, Thomas" Cc: "containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org" List-Id: containers.vger.kernel.org On Mon, 2008-10-13 at 10:03 -0700, Tanaka, Thomas wrote: > Is it possible to build a secure container by using cgroups? My goal > is to achieve a file system namespace container that will limit the > file system view given to a process similar to chroot does but of > course has to be secure. You'll have to be a bit more specific than that. Do you want to make absolutely sure that certain containers have absolutely no access to certain fs namespaces? -- Dave