[lxc-users] pre-mount hook namespace
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Nov 11 16:01:34 UTC 2015
Thanks for the reply.
> On November 11, 2015 at 4:40 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > This puts us in a bit of a pickle as we'd like to setup mountpoints
> > for an unprivileged container without giving it access to more than it
> > needs (in particular, the storage configuration and processes involved
> > in managing and activating them.)
>
> Please give a specific example of what you want.
Mount a filesystem for the unprivileged user which the they cannot
mount by themselves due to a lack of permissions.
# mount -o loop /path/you/don't/have/access/to.img /the/container
> In order for an unprivileged user to be able to manipulate the mounts
> table, he must *first* unshare the user namespace. That is so that
> if he mounts something over /etc/shadow, he can only trick setuid-root
> programs (like login) owned by his own user namespace.
Ah yes. I just read up on the mount namespace restrictions
section in user_namespaces(7).
Looks like it'll have to be mounting in the pre-start hook and
unmounting in the post-stop hook and letting the mounts stay
visible in the host's namespace.
More information about the lxc-users
mailing list