< Previous | Contents | Next >
6.16. Security
A namespace maps ids to resources. By not providing a container any id with which to reference a resource, the resource can be protected. This is the basis of some of the security afforded to container users. For instance, IPC namespaces are completely isolated. Other namespaces, however, have various leaks which allow privilege to be inappropriately exerted from a container into another container or to the host.
By default, LXC containers are started under a Apparmor policy to restrict some actions. The details of AppArmor integration with lxc are in section Section 6.9, “Apparmor” [p. 368]. Unprivileged containers
go further by mapping root in the container to an unprivileged host userid. This prevents access to /proc and / sys files representing host resources, as well as any other files owned by root on the host.