> Could you explain a little more why you have this requirement? > Anybody in their own filesystem namespace can do no harm to users in > other namespaces. What's the worry? I don't want to expose information about hardware configuration to processes inside container which now can be easily accessed by mounting sysfs. Also through sysfs direct access to hardware is possible and that definitely can do harm to other containers and whole system. For example removing hard drives by echo 1 > /sys/bus/scsi/drivers/sd/<SCSI-ID>/delete So I definitely want to forbid mounting of sysfs inside container. And probably there are some other "dangerous" filesystems. Also in the future I plan to make mount option for proc filesystem which hide kernel low level or hardware information (/proc/bus, /proc/interrupts, etc.) And I want to mount proc with such option inside container once, without possibility of remounting without option and getting unrestricted view of proc. With best regards, Sergey Kononenko. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
