[Lxc-users] patch for read-only bind-mount

[John Brendler]

lxc fails to make read-only bind mounts as documented.  Read-only bind
mounts are important to many use cases.

A simple patch has been submitted to the lxc-devel mailing list (by
Ciprian Dorin), but when I last checked, it was not clear if any action
had been taken on it.  It is clear, however, that the bug still
exists in release 0.7.0.

I have tested the patch, and it fixes the problem in both 0.6.5 and
0.7.0.  I have been using it for a couple months.

This is where the patch was submitted to the lxc-devel list.-
http://sourceforge.net/mailarchive/forum.php?thread_name=4B9E0AE0.9000100%40free.fr&forum_name=lxc-devel

I think this patch should be implemented (when it is convenient
to do so).  This is a significant loss of functionality that effects the
security of a security-oriented application.

So I am posting so that others know the patch exists and also to see
what should be done to get this included in the next release.


Details: -------------------------------------------------------------

In short, a line like this in a container's configuration file should
have the effect of bind-mounting the file (e.g. /sbin directory below)
within the container and making it *read-only*:

  lxc.mount.entry = /sbin /lxc/container07/sbin none ro,bind 0 0

Or in a fstab-formatted file referred to by a "lxc.mount" entry in the
config file, it would simply be:

  /sbin /lxc/container07/sbin none ro,bind 0 0

Unfortunately, it doesn't work.  It bind-mounts, but gives a little
warning that it "appears to mounted read-write".  This is easily
confirmed by writing and deleting files in the filesystems that should
have been mounted read-only.

This is unforunate, considering the whole point of these tools is secure
compartmentalization.

Normally, a read-only bind mount requires two steps:

 mount -o bind /sbin /lxc/container07/sbin
 mount -o remount,ro /lxc/container07/sbin

So, one may work around this bug by executing a script (after starting
the container) to carry out that second step, remounting the appropriate
things in read-only mode. But this shouldn't be necessary, since
handling read-only bind-mounts are an intended feature of the lxc tools.

The patch is very simple and does seem to fix the problem nicely.
Barring regressions I may not be aware of, I, for one, would like to see
it implemented.

I am using it as a means to re-use the host operating system's files, in
read-only bind-mounts, with exceptions overlaid on top of them (rather
than having to maintain an additional and separate "guest operating
system" filesystem).  With the patch, this seems to work quite well.

-----------------------------------------------------------------------