Hello,
i am running a system that does not support apparmor. Is there a way to limit access to some /proc/ files ?
For example
/proc/mdstat
etc.
Nope. You can do tricks like mounting empty files over specific files and the like, but root in the container will be able to just unmount those things and see the real file.
Hi,
is there a way to use seccomps only on dir or file xy ? This should be solve my problem.
No, seccomp is a syscall filtering mechanism, seccomp policies can filter whole syscalls or syscall arguments so long as they’re not pointers. All strings (and therefore paths) are pointers and so cannot be used in seccomp policies.
Do lxc use the /proc dir of the master ? Or mount it procfs directly ?
It’s a new mount as otherwise you’d see the processes of the host rather than those of the container.
Is it possible to change this behavior via config and use hidepid mount option on the hostnode to make only user processes visible ?
Hello,
i have found a simple trick to solve my problem:
chmod 0440 /proc/mdstat
on the master after boot.
This removes the read flag for other users.
in my container i got
~# cat /proc/mdstat
cat: /proc/mdstat: Keine Berechtigung
thank you for your help.