[Lxc-users] Jumping out of a read-only bind mount container
Trent W. Buck
trentbuck at gmail.com
Mon Feb 7 00:40:47 UTC 2011
Matto Fransen <matto at matto.nl> writes:
>> In the container, I can use the mount command with the -oremount,rw
>> options and then edit the file from the container.
>
> So the bind read-only mounts are no protection against changing the
> filesystem of the container, but even makes it possible to corrupt the
> _host_ filesystem ...
>
>> Is there a way to disable that behavior and forbid the mount options
>
> Perhaps there should be a drop.caps possibility to prevent remounting
> from within the container.
lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container. It seems to work for me. In fact... I thought LXC *always*
removed that capability, even if you never mentioned it?
$ grep /srv/mirror /proc/mounts
/dev/mapper/omega-mirror /srv/mirror ext4 ro,relatime,barrier=1,data=ordered 0 0
$ sudo mount -o remount,rw /srv/mirror
$ grep /srv/mirror /proc/mounts
/dev/mapper/omega-mirror /srv/mirror ext4 ro,relatime,barrier=1,data=ordered 0 0
Note that, obviously, this means all mounts must be done by
lxc.mount.entry or prior to starting LXC.
More information about the lxc-users
mailing list