Prevent all volumes

[Napsty]

According to the readme (and confirmed by my tests) it is still possible to mount volumes from the host into the container:

$ docker run -v /:/test fedora sh  # works

Is there a way to completely disable the -v usage?

I saw #9 but from the response I can't tell whether the plugin could be rewritten to completely block volumes or if it's not possible at all. Please advise, thanks.

Background story: So far all documented docker hacks I've found were always using a host volume mount to break out and take over the host. This is not only dangerous, it's (in our environment) not necessary. To avoid the danger, I'd prefer to simply disallow all kinds of volumes. I also took a look at the apparmor profile for the docker engine (https://github.com/docker/docker/issues/19699) but it's not ready.

[runcom]

we could have a configuration file for this plugin for different scenarios, e.g. blocking volumes altogether as you need it.

[Napsty]

That would be the best solution I guess. Do you have an example?

[runcom]

Do you have an example?

there's no such thing in place right now. We'll need to implement it (shouldn't be that hard). volunteers? :)

[Napsty]

I'd put my name forward if I'd understand the Go language, sorry :( If I can help in another way, let me know.

[runcom]

I'd put my name forward if I'd understand the Go language, sorry :( If I can help in another way, let me know.

don't worry - I will try to find spare cycles to support this use case (as it's useful imo). Otherwise I'm labeling this as Help wanted for anyone to chime in and contribute

[rhatdan]

SELinux does an excellent job of stopping file system based breakouts.