/proc/kmsg vs privileged containers

[Harald Dunkel]

Hi folks,

Is it reasonable to make /proc/kmsg readable inside a privileged
container (LXC or Incus)? rsyslogd (using default config on Debian
12) could poll "away" the kernel logging inside the container, and
rsyslogd running on the host might miss important messages. Not to
mention that the messages showing up on /proc/kmsg might reveal too
much information about the host system.

Of course I understand that privileged containers should be avoided
in general, but this is not my choice.

Regards
Harri

[Serge E. Hallyn]

On Mon, Oct 07, 2024 at 09:23:39AM +0200, Harald Dunkel wrote:
> Hi folks,
>
> Is it reasonable to make /proc/kmsg readable inside a privileged

I don't think this is a judgement call we can make for you :) Does
the ability of a containerized workload (legitimate or powned) to
see addresses in segfaults concern you? I suspect it would be a
reasonable thing for you, but can't say for sure.

> container (LXC or Incus)? rsyslogd (using default config on Debian
> 12) could poll "away" the kernel logging inside the container, and
> rsyslogd running on the host might miss important messages. Not to
> mention that the messages showing up on /proc/kmsg might reveal too
> much information about the host system.
>
> Of course I understand that privileged containers should be avoided
> in general, but this is not my choice.
>
> Regards
> Harri
>

> --
> You received this message because you are subscribed to the Google Groups "lxc-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to lxc-users+...@lists.linuxcontainers.org.
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-users/a9751f33-95c0-4ca7-81f5-5e7097e509e0%40afaics.de.