On Wed, Feb 8, 2017 at 7:36 PM, Neil Bothwick <n...@digimed.co.uk> wrote: > > It shouldn't matter that they are bind-mounted. The -x switch excludes > anything on a different filesystem. >
Agree, but I will note that one of the advantages of using a container and mounting a new /dev is that you get a greatly reduced /dev which helps protect your physical devices. For example, here is /dev from one of my containers: # ls -l /dev/ total 0 crw--w---- 1 root tty 136, 3 Feb 4 08:57 console lrwxrwxrwx 1 root root 11 Feb 4 08:57 core -> /proc/kcore lrwxrwxrwx 1 root root 13 Feb 4 08:57 fd -> /proc/self/fd crw-rw-rw- 1 root root 1, 7 Feb 4 08:57 full drwxr-xr-x 2 root root 0 Feb 4 08:57 hugepages lrwxrwxrwx 1 root root 25 Feb 4 08:57 initctl -> /run/systemd/initctl/fifo lrwxrwxrwx 1 root root 28 Feb 4 08:57 log -> /run/systemd/journal/dev-log drwxrwxrwt 2 root root 40 Feb 4 08:57 mqueue drwxr-xr-x 2 root root 60 Feb 4 08:57 net crw-rw-rw- 1 root root 1, 3 Feb 4 08:57 null lrwxrwxrwx 1 root root 8 Feb 4 08:57 ptmx -> pts/ptmx drwxr-xr-x 2 root root 0 Feb 4 08:57 pts crw-rw-rw- 1 root root 1, 8 Feb 4 08:57 random drwxrwxrwt 2 root root 40 Feb 4 08:57 shm lrwxrwxrwx 1 root root 15 Feb 4 08:57 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 root root 15 Feb 4 08:57 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 root root 15 Feb 4 08:57 stdout -> /proc/self/fd/1 crw-rw-rw- 1 root root 5, 0 Feb 4 08:57 tty crw-rw-rw- 1 root root 1, 9 Feb 4 08:57 urandom crw-rw-rw- 1 root root 1, 5 Feb 4 08:57 zero As you can see, there is limited ability for even root to accidentally mess something up. If you bind-mount /dev in a regular chroot (without a hardening technology on top) and something running as root in the chroot tries to write to /dev/sda, then it will have the obvious result. Note that Linux containers are not yet 100% secure so this should be viewed as a protection against accidental damage, not as equivalent to a VM. Non-root processes inside a container are considered to be pretty secure I believe, and I believe root is supposed to be OK if it is running in a container in a separate user namespace (so it is non-root on the host). -- Rich