Hi, On Fri, Feb 04, 2011 at 04:39:57PM -0200, Andre Nathan wrote: > Let's say I have a file bind-mounted in read-only mode from the host to > the container. For example, /etc/resolv.conf. > > In the container, I can use the mount command with the -oremount,rw > options and then edit the file from the container. This is indeed possible. I have tried this in the 'standard' sshd-container with read-only bind mounts. From within the container one can do a remount and after that make changes to the host filesystem (add, delete and change files).
So the bind read-only mounts are no protection against changing the filesystem of the container, but even makes it possible to corrupt the _host_ filesystem ... > Is there a way to disable that behavior and forbid the mount options Perhaps there should be a drop.caps possibility to prevent remounting from within the container. Cheers, Matto
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server's connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
