opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 16:47:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

make /dev & /dev/shm read/only when --read-only --read-only-tmpfs=false

Browse Source 
The intention of --read-only-tmpfs=fals when in --read-only mode was to
not allow any processes inside of the container to write content
anywhere, unless the caller also specified a volume or a tmpfs. Having
/dev and /dev/shm writable breaks this assumption.

Fixes: https://github.com/containers/podman/issues/12937

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2023-07-29 06:31:14 -04:00
parent b6a52f1f8b
commit 22a8b68866
7 changed files with 37 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/source/markdown/options/read-only-tmpfs.md
View File

@ -4,4 +4,4 @@
####> are applicable to all of those.
#### **--read-only-tmpfs**
If container is running in **--read-only** mode, then mount a read-write tmpfs on _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
If container is running in **--read-only** mode, then mount a read-write tmpfs on _/dev_, _/dev/shm_, _/run_, _/tmp_, and _/var/tmp_. The default is **true**.