nsjail icon indicating copy to clipboard operation
nsjail copied to clipboard

Safe default /dev mounts?

Open dseomn opened this issue 3 years ago • 3 comments

Hi,

Would it be possible for nsjail to either mount some of /dev by default, or add a flag to do that? I see mentions of /dev/urandom and /dev/null in the README, but there are also /dev/zero, /dev/stdin, and a handful of other things in dev that seem like they would be safe and useful to bind-mount by default.

dseomn avatar Sep 08 '22 20:09 dseomn

Somebody just pointed me at https://github.com/opencontainers/runc/blob/main/libcontainer/SPEC.md#filesystem which looks like a good list of which device files should be bind-mounted.

dseomn avatar Sep 08 '22 23:09 dseomn

Hi, you can mount all those things with bind mounts, so the question is if there is really a needeat all to have a flag for default devices.

On the other hand, a flag could make it so that the devices would be mknod-ed instead of bind mounted. But I am not sure if that is really a difference.

disconnect3d avatar Feb 21 '23 11:02 disconnect3d

I think the main benefit would be saving people from the effort of looking up that list of common device files, since it seems like a pretty normal thing to want all of those devices.

dseomn avatar Feb 27 '23 18:02 dseomn