[lxc-users] LXD - bind mount inside container
Serge E. Hallyn
serge at hallyn.com
Tue Jun 14 15:14:24 UTC 2016
On Tue, Jun 14, 2016 at 07:17:58AM -0400, Ron Kelley wrote:
> Thanks. These containers are running as a web-hosting container for our user sites (we host one site per container). Does your security statement below mean I could run into security issues if we enable the security.nesting option? One of the primary drivers for containers is for security - we don’t want one site “bleeding” into another.
The unfortunate cause of this is that since apparmor is purely pathname
based, and there are rules to prevent writing to sensitive files, allowing
containers to bind mount things can allow circumventing those rules.
However, so long as you're using unprivileged containers (which you'd
better be given your application), it's more of a defense in depth issue -
we don't know of, or expect, any cases where your container user would
actually be able to write to sensitive files like sysrq-trigger, bc they
will be owned by -1.
So "it's probably ok" but only do it if you really need to. Perhaps
you can allow bind mounting only from/to certain paths?
-serge
More information about the lxc-users
mailing list