[Lxc-users] Jumping out of a read-only bind mount container

Trent W. Buck trentbuck at gmail.com
Mon Feb 7 00:40:47 UTC 2011


Matto Fransen <matto at matto.nl> writes:

>> In the container, I can use the mount command with the -oremount,rw
>> options and then edit the file from the container.
>
> So the bind read-only mounts are no protection against changing the
> filesystem of the container, but even makes it possible to corrupt the
> _host_ filesystem ...
>
>> Is there a way to disable that behavior and forbid the mount options
>
> Perhaps there should be a drop.caps possibility to prevent remounting
> from within the container.

lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
container.  It seems to work for me.  In fact...  I thought LXC *always*
removed that capability, even if you never mentioned it?

    $ grep /srv/mirror /proc/mounts
    /dev/mapper/omega-mirror /srv/mirror ext4 ro,relatime,barrier=1,data=ordered 0 0
    $ sudo mount -o remount,rw /srv/mirror
    $ grep /srv/mirror /proc/mounts
    /dev/mapper/omega-mirror /srv/mirror ext4 ro,relatime,barrier=1,data=ordered 0 0

Note that, obviously, this means all mounts must be done by
lxc.mount.entry or prior to starting LXC.





More information about the lxc-users mailing list