SECURITY: LXC can read server dmesg

[jinjer]

I have recently upgraded a cluster from 3.4 to 4.1

There's a security issue with LXC that I would like to bring to your attention.

Running dmesg inside a CT will show you the base server information. In some cases this reveals process info from other containers.

I would not expect this to be the case... perhaps a problem with my install ?

jinjer

 

[wbumiller]

See https://forum.proxmox.com/threads/lxc-privilege-level.25724/#post-128861
Might be worth adding a GUI option for this and investigating how much would break with doing this as default.

 

[jinjer]

Yes, it will probably be an issue.

On 4.2.8-1, when the OOM kicks in it dumps all processes of the server in the dmesg.

If, after this, one runs dmesg in the LXC, he gets to see everything and more from the running server.