Eric Windisch 793088ed0a Make /proc, /sys, /dev readonly for readonly containers ...

If a container is read-only, also set /proc, /sys,
& /dev to read-only. This should apply to both privileged and
unprivileged containers.

Note that when /dev is read-only, device files may still be
written to. This change will simply prevent the device paths
from being modified, or performing mknod of new devices within
the /dev path.

Tests are included for all cases. Also adds a test to ensure
that /dev/pts is always mounted read/write, even in the case of a
read-write rootfs. The kernel restricts writes here naturally and
bad things will happen if we mount it ro.

Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 5400d8873f730e6099d29af49fe45931665c3b49
Component: engine

2015-07-02 19:08:00 +00:00

..

execdrivers

Windows: NewDriver() re-baseline parms

2015-05-16 11:38:19 -07:00

lxc

Replace latest log by logrus

2015-07-02 16:11:52 +02:00

native

Make /proc, /sys, /dev readonly for readonly containers

2015-07-02 19:08:00 +00:00

windows

Windows: Empty Windows Exec Driver

2015-05-20 08:54:04 -07:00

driver_linux.go

Correct getEnv split.

2015-06-11 14:40:46 -07:00

driver.go

Docker integration with libnetwork

2015-05-19 22:40:19 +00:00

pipes.go

Rename runtime/* to daemon/*

2014-04-17 14:43:01 -07:00

termconsole.go

Refactoring execdriver.Command and Container structs to support 'docker exec' and other

2014-09-01 14:30:16 -07:00

utils.go

Generate capabilityList automatically

2015-05-08 09:40:05 -07:00