On Wed, Feb 8, 2017 at 7:36 PM, Neil Bothwick <n...@digimed.co.uk> wrote:
>
> It shouldn't matter that they are bind-mounted. The -x switch excludes
> anything on a different filesystem.
>

Agree, but I will note that one of the advantages of using a container
and mounting a new /dev is that you get a greatly reduced /dev which
helps protect your physical devices.

For example, here is /dev from one of my containers:

# ls -l /dev/
total 0
crw--w---- 1 root tty  136, 3 Feb  4 08:57 console
lrwxrwxrwx 1 root root     11 Feb  4 08:57 core -> /proc/kcore
lrwxrwxrwx 1 root root     13 Feb  4 08:57 fd -> /proc/self/fd
crw-rw-rw- 1 root root   1, 7 Feb  4 08:57 full
drwxr-xr-x 2 root root      0 Feb  4 08:57 hugepages
lrwxrwxrwx 1 root root     25 Feb  4 08:57 initctl -> /run/systemd/initctl/fifo
lrwxrwxrwx 1 root root     28 Feb  4 08:57 log -> /run/systemd/journal/dev-log
drwxrwxrwt 2 root root     40 Feb  4 08:57 mqueue
drwxr-xr-x 2 root root     60 Feb  4 08:57 net
crw-rw-rw- 1 root root   1, 3 Feb  4 08:57 null
lrwxrwxrwx 1 root root      8 Feb  4 08:57 ptmx -> pts/ptmx
drwxr-xr-x 2 root root      0 Feb  4 08:57 pts
crw-rw-rw- 1 root root   1, 8 Feb  4 08:57 random
drwxrwxrwt 2 root root     40 Feb  4 08:57 shm
lrwxrwxrwx 1 root root     15 Feb  4 08:57 stderr -> /proc/self/fd/2
lrwxrwxrwx 1 root root     15 Feb  4 08:57 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root     15 Feb  4 08:57 stdout -> /proc/self/fd/1
crw-rw-rw- 1 root root   5, 0 Feb  4 08:57 tty
crw-rw-rw- 1 root root   1, 9 Feb  4 08:57 urandom
crw-rw-rw- 1 root root   1, 5 Feb  4 08:57 zero

As you can see, there is limited ability for even root to accidentally
mess something up.  If you bind-mount /dev in a regular chroot
(without a hardening technology on top) and something running as root
in the chroot tries to write to /dev/sda, then it will have the
obvious result.  Note that Linux containers are not yet 100% secure so
this should be viewed as a protection against accidental damage, not
as equivalent to a VM.  Non-root processes inside a container are
considered to be pretty secure I believe, and I believe root is
supposed to be OK if it is running in a container in a separate user
namespace (so it is non-root on the host).

-- 
Rich

Reply via email to