On Mon, Jan 23, 2012 at 08:56:08PM +0400, Glauber Costa wrote: > This patch creates a list of allowed filesystems per-namespace. > The goal is to prevent users inside a container, even root, > to mount filesystems that are not allowed by the main box admin. > > My main two motivators to pursue this are: > 1) We want to prevent a certain tailored view of some virtual > filesystems, for example, by bind-mounting files with userspace > generated data into /proc. The ability of mounting /proc inside > the container works against this effort, while disallowing it > via capabilities would have the effect of disallowing other > mounts as well. Translation, please. > 2) Some filesystems are known not to behave well under a container > environment. They require changes to work in a safe-way. We can > whitelist only the filesystems we want. So fix them. > This works as a whitelist. Only filesystems in the list are allowed > to be mounted. Doing a blacklist would create problems when, say, > a module is loaded. The whitelist is only checked if it is enabled first. > So any setup that was already working, will keep working. And whoever > is not interested in limiting filesystem mount, does not need > to bother about it. > > Please let me know what you guys think about it. NAKed-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> NAKed-because: too fucking ugly This is bloody ridiculous; if you want to prevent a luser adming playing with the set of mounts you've given it, the right way to go is not to mess with the "which fs types are allowed" but to add a per-namespace "immutable" flag. And add a new clone(2)/unshare(2) flag, used only along with the CLONE_NEWNS and setting the "immutable" on the copied namespace. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html