moby--moby

mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

History

Dan Walsh ba38d58659 Make mqueue container specific mqueue can not be mounted on the host os and then shared into the container. There is only one mqueue per mount namespace, so current code ends up leaking the /dev/mqueue from the host into ALL containers. Since SELinux changes the label of the mqueue, only the last container is able to use the mqueue, all other containers will get a permission denied. If you don't have SELinux protections sharing of the /dev/mqueue allows one container to interact in potentially hostile ways with other containers. Signed-off-by: Dan Walsh <dwalsh@redhat.com>	2016-02-05 16:50:35 +01:00
..
default_template_linux.go	Make mqueue container specific	2016-02-05 16:50:35 +01:00
default_template_unsupported.go	Windows: Fix native exec template	2015-10-31 11:39:19 -07:00

Dan Walsh ba38d58659 Make mqueue container specific

mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers.  Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied.  If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>

2016-02-05 16:50:35 +01:00

default_template_linux.go

Make mqueue container specific

2016-02-05 16:50:35 +01:00

default_template_unsupported.go

Windows: Fix native exec template

2015-10-31 11:39:19 -07:00