Browse code
/dev should not be readonly with --readonly flag
/dev is mounted on a tmpfs inside of a container. Processes inside of containers
some times need to create devices nodes, or to setup a socket that listens on /dev/log
Allowing these containers to run with the --readonly flag makes sense. Making a tmpfs
readonly does not add any security to the container, since there is plenty of places
where the container can write tmpfs content.
I have no idea why /dev was excluded.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Daniel J Walsh authored on 2017/10/31 22:32:20Showing 2 changed files
| ... | ... |
@@ -628,7 +628,7 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c |
| 628 | 628 |
if s.Root.Readonly {
|
| 629 | 629 |
for i, m := range s.Mounts {
|
| 630 | 630 |
switch m.Destination {
|
| 631 |
- case "/proc", "/dev/pts", "/dev/mqueue": // /dev is remounted by runc |
|
| 631 |
+ case "/proc", "/dev/pts", "/dev/mqueue", "/dev": |
|
| 632 | 632 |
continue |
| 633 | 633 |
} |
| 634 | 634 |
if _, ok := userMounts[m.Destination]; !ok {
|
| ... | ... |
@@ -2729,7 +2729,7 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
|
| 2729 | 2729 |
if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" {
|
| 2730 | 2730 |
testPriv = false |
| 2731 | 2731 |
} |
| 2732 |
- testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel", "/dev/.dont.touch.me") |
|
| 2732 |
+ testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel") |
|
| 2733 | 2733 |
} |
| 2734 | 2734 |
|
| 2735 | 2735 |
func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {
|