> Quoting Miklos Szeredi (miklos@szeredi.hu):
> > From: Miklos Szeredi <mszeredi@suse.cz>
> >
> > On mount propagation, let the owner of the clone be inherited from the
> > parent into which it has been propagated. Also if the parent has the
> > "nosuid" flag, set this flag for the child as well.
>
> What about nodev?
Hmm, I think the nosuid thing is meant to prevent suid mounts being
introduced into a "suidless" namespace. This doesn't apply to dev
mounts, which are quite safe in a suidless environment, as long as the
user is not able to create devices. But that should be taken care of
by capability tests.
I'll update the description.
Thanks,
Miklos
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers