Am 2015-01-23 08:29, schrieb Mantas Mikulėnas:
IIRC, the reason for tmpfs on /run/user/* was lack of tmpfs quotas...
if thats still a problem, maybe there could be one tmpfs at
/run/user,
still preventing users from touching root-only /run?
Yes, that's a good idea. Initially when posting this thread I thought
that there just had to be a trade-off between dropping CAP_SYS_ADMIN
(and making it more difficult to escape the container), and a user
inside the container DOSing the container by filling up /run.
But with your idea, I can at least separate /run/user from /run
itself (the same way mode=1777 /run/lock is a separate tmpfs already)
by just a simple static mount entry for the container.
Thanks for bringing this up!
Christian
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
