Restriction of filesystem mounting

Sergey Kononenko sergk at
Tue Sep 15 13:35:27 PDT 2009


I've come across the need to restrict ability of mounting filesystems
inside container and probably forbid remounting of already mounted
filesystems in container namespace (mounted by lxc-start for example).
It semms that the obvious solution is to drop capability from bounding
set of processes inside container. Unfortunately there is no separate
capability for mount/umount and dropping of CAP_SYS_ADMIN is
unacceptable in my case.
I don't see a way to solve this problem without modifying kernel code,
though I don't know how exactly to modify it. My first thought was to
create new separate capability CAP_SYS_MOUNT, although it may break
existing applications which presume CAP_SYS_ADMIN would be enough to do
mount/umount. Another option to solve this problem would be to create
cgroup controller with list of permitted filesystem types similar to
existing controller for devices (CGROUP_DEVICE).
Any suggestions will be helpful.

With best reagrds,
Sergey Kononenko.

More information about the Containers mailing list