[lxc-users] bind-mounting kernel directories
Chris Burroughs
chris.burroughs at gmail.com
Wed Apr 1 17:38:40 UTC 2015
On 04/01/2015 12:54 PM, Michael H. Warfield wrote:
> Doing a read-only bind mount is marginal at best. We've had issues with
> remounts in containers propagating out (that I think/hope are finally
> fixed) and some containers need mount privs in order to mount images or
> do nfs/afs/cifs mounts, so prohibiting the cap_sysadmin is not a viable
> option in general there.
Well most default templates already mount sys:ro, so a
read-only-->read-write breach would already have direct problems.
For programs that care about detecting which modules are running (ie the
rhel iptables 'service' scripts), it sounds like the options are:
* read-only bind mounts, which might be breachable (and obviously
'leaks' information)
* Distribution specific package work to install the same version of
the kernel in the host and container.
More information about the lxc-users
mailing list