Restriction of filesystem mounting
sergk at natcoweb.com
Tue Sep 15 14:15:08 PDT 2009
> Could you explain a little more why you have this requirement?
> Anybody in their own filesystem namespace can do no harm to users in
> other namespaces. What's the worry?
I don't want to expose information about hardware configuration to
processes inside container which now can be easily accessed by mounting
sysfs. Also through sysfs direct access to hardware is possible and
that definitely can do harm to other containers and whole system. For
example removing hard drives by
echo 1 > /sys/bus/scsi/drivers/sd/<SCSI-ID>/delete
So I definitely want to forbid mounting of sysfs inside container.
And probably there are some other "dangerous" filesystems.
Also in the future I plan to make mount option for proc filesystem
which hide kernel low level or hardware information
(/proc/bus, /proc/interrupts, etc.) And I want to mount proc with such
option inside container once, without possibility of remounting
without option and getting unrestricted view of proc.
With best regards,
More information about the Containers