From 5f3bd2473ee2a1b9f37ba0130e934133d0e01f89 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 31 Oct 2017 09:32:20 -0400 Subject: [PATCH] /dev should not be readonly with --readonly flag /dev is mounted on a tmpfs inside of a container. Processes inside of containers some times need to create devices nodes, or to setup a socket that listens on /dev/log Allowing these containers to run with the --readonly flag makes sense. Making a tmpfs readonly does not add any security to the container, since there is plenty of places where the container can write tmpfs content. I have no idea why /dev was excluded. Signed-off-by: Daniel J Walsh --- daemon/oci_linux.go | 2 +- integration-cli/docker_cli_run_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index b4a6bf60d2..905e20cd90 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -628,7 +628,7 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c if s.Root.Readonly { for i, m := range s.Mounts { switch m.Destination { - case "/proc", "/dev/pts", "/dev/mqueue": // /dev is remounted by runc + case "/proc", "/dev/pts", "/dev/mqueue", "/dev": continue } if _, ok := userMounts[m.Destination]; !ok { diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 6ac10e70e9..ddb3ae95f4 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -2729,7 +2729,7 @@ func (s *DockerSuite) TestRunContainerWithReadonlyRootfs(c *check.C) { if root := os.Getenv("DOCKER_REMAP_ROOT"); root != "" { testPriv = false } - testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel", "/dev/.dont.touch.me") + testReadOnlyFile(c, testPriv, "/file", "/etc/hosts", "/etc/resolv.conf", "/etc/hostname", "/sys/kernel") } func (s *DockerSuite) TestPermissionsPtsReadonlyRootfs(c *check.C) {