Re: Sandbox thoughts

[Alexander Larsson <alexl redhat com>]

On tis, 2015-03-03 at 09:34 -0800, Andy Lutomirski wrote:
> On Mon, Mar 2, 2015 at 11:59 PM, Alexander Larsson <alexl redhat com> wrote:
>
> > Also, I'd like to make all the recursively bound subtrees readonly. Is
> > there a better way to do this than enumerating all mounts and remounting
> > all that are under /sys.
> >
> > In fact this is a general problem i have with recursive bind mounts. If
> > I want to grant access to some directory with limited access (for
> > example read-only or nosuid) then I have to use a recursive bind mount,
> > but the remount is not recursive, and furthermore, it does not apply to
> > later mounts that get propagated into my namespace.
>
> Oh, yuck.
>
> We should finally just make readonly bind mounts work in the first
> place.  You can partially mitigate this my remounting private before
> you remount ro, though.

I generally run in slave mode, which is what I want here. Either I'm in
hard containment mode, and something like /mnt will not even mounted in
the container, or I'm allowing some form of access to the system/user
files. If this contains e.g. /mnt then I definitely *do* want to get new
mounts (say if the user inserted a usb stick).

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's an uncontrollable drug-addicted boxer who knows the secret of the 
alien invasion. She's a cosmopolitan renegade mechanic from the wrong 
side of the tracks. They fight crime!