/dev should not be readonly with --readonly flag

/dev is mounted on a tmpfs inside of a container. Processes inside of containers some times need to create devices nodes, or to setup a socket that listens on /dev/log Allowing these containers to run with the --readonly flag makes sense. Making a tmpfs readonly does not add any security to the container, since there is plenty of places where the container can write tmpfs content. I have no idea why /dev was excluded. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2017-10-31 09:32:20 -04:00 · 2017-10-31 09:32:20 -04:00 · 5f3bd2473e
parent 4bc5a57652
commit 5f3bd2473e
2 changed files with 2 additions and 2 deletions
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@ -628,7 +628,7 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
 	if s.Root.Readonly {
 		for i, m := range s.Mounts {
 			switch m.Destination {
-			case "/proc", "/dev/pts", "/dev/mqueue": // /dev is remounted by runc
+			case "/proc", "/dev/pts", "/dev/mqueue", "/dev":
 				continue
 			}
 			if _, ok := userMounts[m.Destination]; !ok {
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -2729,7 +2729,7 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) {
 	if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" {
 		testPriv = false
 	}
-	testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel", "/dev/.dont.touch.me")
+	testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel")
 }

 func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {