Thanks for the reply. > On November 11, 2015 at 4:40 PM Serge Hallyn <[email protected]> wrote: > > This puts us in a bit of a pickle as we'd like to setup mountpoints > > for an unprivileged container without giving it access to more than it > > needs (in particular, the storage configuration and processes involved > > in managing and activating them.) > > Please give a specific example of what you want.
Mount a filesystem for the unprivileged user which the they cannot mount by themselves due to a lack of permissions. # mount -o loop /path/you/don't/have/access/to.img /the/container > In order for an unprivileged user to be able to manipulate the mounts > table, he must *first* unshare the user namespace. That is so that > if he mounts something over /etc/shadow, he can only trick setuid-root > programs (like login) owned by his own user namespace. Ah yes. I just read up on the mount namespace restrictions section in user_namespaces(7). Looks like it'll have to be mounting in the pre-start hook and unmounting in the post-stop hook and letting the mounts stay visible in the host's namespace. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
