On Tue, Sep 14, 2021 at 8:52 AM Vivek Goyal <[email protected]> wrote: > Same is the requirement for regular containers and that's why > podman (and possibly other container managers), make top level > storage directory only readable and searchable by root, so that > unpriveleged entities on host can not access container root filesystem > data.
Note--if that directory is on NFS, making it readable and searchable by root is very weak protection, since it's often possible for an attacker to guess filehandles and access objects without the need for directory lookups. --b. _______________________________________________ Virtio-fs mailing list [email protected] https://listman.redhat.com/mailman/listinfo/virtio-fs
