Hello. I asked similar question on lxc-devel@ but got no reply. Since the issue is in kernel entirely, I'm asking in containers@ now. As a base, I used lxc utils. First of all, I'm concerned about file namespace security in a container. It is, basically, just a chroot(2), or at least it looks like that to me. But as we know, root can break out of chroot. Are there any protection methods that prevents this break-out? I see lxc-start performs one additional rbind-mount - whole root filesystem of a container to a temporary directory (mktemp), and uses that temp dir as root for the container. I wonder what it is trying to achieve this way. Is it related to the first question and prevents breaking out of chroot somehow? On a similar note, can pivot_root be used there instead of a chroot? But see below for this one. Inside a container, /proc/mounts is a complete mess, since most paths are not accessible (out of chroot). When using real /etc/mtab things become much nicer, but mtab has been made a link to /proc/mounts for a purpose. So I wonder if we can clean that stuff up for real. I mean, not /proc/mounts by itself but the namespace. For that, using pivot_root instead of a chroot to keep other filesystems available directly, and umount all of them which are not useful. I understand it is not always possible (you can't umount /oldroot/usr as long as /oldroot/usr/containerroot is bind-mounted to /), but I think it's worth to try, at least in cases where it is doable (maybe not for general utils but in custom use-case). But before trying, I want to understand the security implicatins and the whole root barrier thing if any -- see my first question. Thanks! /mjt _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
