[systemd-devel] remount

Lennart Poettering lennart at poettering.net
Mon Nov 10 05:35:54 PST 2014


On Fri, 07.11.14 15:35, Fisher, Charles J. (Top Echelon) (Charles.Fisher at alcoa.com) wrote:

> When I start a container like this:
> 
> [root at limsdev ~]# systemd-nspawn -bD /home/limsbox --bind-ro=/usr/lib64 --bind-ro=/home/oracle/Ora12c/db
> 
> Is there any way I can stop the container root from being able to do this?:
> 
> ~ # mount -o remount,rw /usr/lib64

Disallowing that would mean taking CAP_SYS_ADMIN away from the
container. However that takes away quite a few different features,
including *any* kind of mounting. However, systemd relies on that to
properly implement PrivateTmp= and similar bits that require setting
up a mount namespace and bind mounting things within it.

That said, you actually can drop the cap, with the
--drop-capability=CAP_SYS_ADMIN switch, but YMMV.

Containers are really not about security, there are tons of security
holes in the entire scheme. We make this abundantly clear in the man
page of nspawn...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list