On Fri, 07.11.14 15:35, Fisher, Charles J. (Top Echelon) (charles.fis...@alcoa.com) wrote:
> When I start a container like this: > > [root@limsdev ~]# systemd-nspawn -bD /home/limsbox --bind-ro=/usr/lib64 > --bind-ro=/home/oracle/Ora12c/db > > Is there any way I can stop the container root from being able to do this?: > > ~ # mount -o remount,rw /usr/lib64 Disallowing that would mean taking CAP_SYS_ADMIN away from the container. However that takes away quite a few different features, including *any* kind of mounting. However, systemd relies on that to properly implement PrivateTmp= and similar bits that require setting up a mount namespace and bind mounting things within it. That said, you actually can drop the cap, with the --drop-capability=CAP_SYS_ADMIN switch, but YMMV. Containers are really not about security, there are tons of security holes in the entire scheme. We make this abundantly clear in the man page of nspawn... Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
