[Lxc-users] patch for read-only bind-mount

Daniel Lezcano daniel.lezcano at free.fr
Tue Jun 22 12:49:45 UTC 2010


On 06/22/2010 07:25 AM, John Brendler wrote:
> lxc fails to make read-only bind mounts as documented.  Read-only bind
> mounts are important to many use cases.
>
> A simple patch has been submitted to the lxc-devel mailing list (by
> Ciprian Dorin), but when I last checked, it was not clear if any action
> had been taken on it.  It is clear, however, that the bug still
> exists in release 0.7.0.
>
> I have tested the patch, and it fixes the problem in both 0.6.5 and
> 0.7.0.  I have been using it for a couple months.
>
> This is where the patch was submitted to the lxc-devel list.-
> http://sourceforge.net/mailarchive/forum.php?thread_name=4B9E0AE0.9000100%40free.fr&forum_name=lxc-devel
>
> I think this patch should be implemented (when it is convenient
> to do so).  This is a significant loss of functionality that effects the
> security of a security-oriented application.
>
> So I am posting so that others know the patch exists and also to see
> what should be done to get this included in the next release.
>
>
> Details: -------------------------------------------------------------
>
> In short, a line like this in a container's configuration file should
> have the effect of bind-mounting the file (e.g. /sbin directory below)
> within the container and making it *read-only*:
>
>    lxc.mount.entry = /sbin /lxc/container07/sbin none ro,bind 0 0
>
> Or in a fstab-formatted file referred to by a "lxc.mount" entry in the
> config file, it would simply be:
>
>    /sbin /lxc/container07/sbin none ro,bind 0 0
>
> Unfortunately, it doesn't work.  It bind-mounts, but gives a little
> warning that it "appears to mounted read-write".  This is easily
> confirmed by writing and deleting files in the filesystems that should
> have been mounted read-only.
>
> This is unforunate, considering the whole point of these tools is secure
> compartmentalization.
>
> Normally, a read-only bind mount requires two steps:
>
>   mount -o bind /sbin /lxc/container07/sbin
>   mount -o remount,ro /lxc/container07/sbin
>
> So, one may work around this bug by executing a script (after starting
> the container) to carry out that second step, remounting the appropriate
> things in read-only mode. But this shouldn't be necessary, since
> handling read-only bind-mounts are an intended feature of the lxc tools.
>
> The patch is very simple and does seem to fix the problem nicely.
> Barring regressions I may not be aware of, I, for one, would like to see
> it implemented.
>
> I am using it as a means to re-use the host operating system's files, in
> read-only bind-mounts, with exceptions overlaid on top of them (rather
> than having to maintain an additional and separate "guest operating
> system" filesystem).  With the patch, this seems to work quite well.
>    

You are right, it is an important feature, I forgot to take the patch.
I will merge it and release a 0.7.1 as soon as possible.
Thanks for pointing this.

   -- Daniel




More information about the lxc-users mailing list