Add healthy procfs/sysfs warnings

Upstream-commit: 96988a37f52b65e8b703b6c2de138c34486215ad Component: engine
2013-06-20 00:37:08 +07:00
parent 1644bb786c
commit 903c80e7d6
1 changed files with 4 additions and 0 deletions
--- a/components/engine/lxc_template.go
+++ b/components/engine/lxc_template.go
@ -67,7 +67,11 @@ lxc.cgroup.devices.allow = c 10:200 rwm


 # standard mount point
+#  WARNING: procfs is a known attack vector and should probably be disabled
+#           if your userspace allows it. eg. see http://blog.zx2c4.com/749
 lxc.mount.entry = proc {{$ROOTFS}}/proc proc nosuid,nodev,noexec 0 0
+#  WARNING: sysfs is a known attack vector and should probably be disabled
+#           if your userspace allows it. eg. see http://bit.ly/T9CkqJ
 lxc.mount.entry = sysfs {{$ROOTFS}}/sys sysfs nosuid,nodev,noexec 0 0
 lxc.mount.entry = devpts {{$ROOTFS}}/dev/pts devpts newinstance,ptmxmode=0666,nosuid,noexec 0 0
 #lxc.mount.entry = varrun {{$ROOTFS}}/var/run tmpfs mode=755,size=4096k,nosuid,nodev,noexec 0 0