On Fri, 07.11.14 15:35, Fisher, Charles J. (Top Echelon)
(charles.fis...@alcoa.com) wrote:
When I start a container like this:
[root@limsdev ~]# systemd-nspawn -bD /home/limsbox --bind-ro=/usr/lib64
--bind-ro=/home/oracle/Ora12c/db
Is there any way I can stop the container root from being able to do this?:
~ # mount -o remount,rw /usr/lib64
Disallowing that would mean taking CAP_SYS_ADMIN away from the
container. However that takes away quite a few different features,
including *any* kind of mounting. However, systemd relies on that to
properly implement PrivateTmp= and similar bits that require setting
up a mount namespace and bind mounting things within it.
That said, you actually can drop the cap, with the
--drop-capability=CAP_SYS_ADMIN switch, but YMMV.
Containers are really not about security, there are tons of security
holes in the entire scheme. We make this abundantly clear in the man
page of nspawn...
Lennart
--
Lennart Poettering, Red Hat
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
