Felix Ruess

@bviktor see #61 which will only put absolute source paths (so not named volumes) in `BindMounts` after resolving them...

@anderseknert so this doesn't seem to work, `BindMounts` is always `null` even if `Body.HostConfig.Binds` has a bind mount (starting with `/`). Not sure what is still wrong/missing... I probably don't...

So at least the resolving seems to work now, but I'm not sure how to write a policy file that correctly denies any request that has bind mounts except for...

So this works with a policy like (excerpt): ``` package docker.authz default allow = false allow { not restricted_host_bind not privileged } # bind mounts to host with these prefixes...

I would be happy if you want to take over

I would leave that out (at least of this PR)... because whose `$HOME`? Of the user running opa-docker-authz? But then you would already know the user anyway...

@anderseknert I updated it a bit for my use-case so I can allow only ReadOnly bind mounts where the source already exists (so that docker doesn't create dirs that don't...

@anderseknert did you have a chance to continue here yet?

For now this does all I need right now and is running fine in production. Also don't have time to spend on making this more complete atm...

We just switched from owncloud to nextcloud and since the editor always saves with windows line endings this breaks quite a few of our things. So auto-detection would be really...