Hello, I've come across the need to restrict ability of mounting filesystems inside container and probably forbid remounting of already mounted filesystems in container namespace (mounted by lxc-start for example). It semms that the obvious solution is to drop capability from bounding set of processes inside container. Unfortunately there is no separate capability for mount/umount and dropping of CAP_SYS_ADMIN is unacceptable in my case. I don't see a way to solve this problem without modifying kernel code, though I don't know how exactly to modify it. My first thought was to create new separate capability CAP_SYS_MOUNT, although it may break existing applications which presume CAP_SYS_ADMIN would be enough to do mount/umount. Another option to solve this problem would be to create cgroup controller with list of permitted filesystem types similar to existing controller for devices (CGROUP_DEVICE). Any suggestions will be helpful. With best reagrds, Sergey Kononenko. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
