[lxc-users] Unprivileged Container and bind-mounting /dev/...

[Serge Hallyn]

Quoting Dirk Geschke (dirk at lug-erding.de):
> Hi all, 
> 
> I'm just curious about how the bind mounts in a container work.
> 
> There are entries in lxc configuration like
> 
>   lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
> 
> I can see that they get bind mounted in the unprivileged container
> and the inode shows, it's the same device as on the host.
> 
> But how is this done? Normally only root can do this, but this is
> an uprivileged container started by a normal user. So somehow I'm
> missing the link: How is the remount done?
> 
> Has anyone a hint for me?

Unprivileged containers are started in a new user namespace.  Root
in the container is mapped to another uid on the host, and is allowed
privileged access to any resources which the unprivileged user owns.

You can't mount most filesystems, but bind mounting is ok.  The source
node retains its ownership (uid -1, so you can't modify it), and if
you start any setuid-root programs they will be run as root in your
container, your user on the host, so you can only damage yourself.

-serge