Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
We already have a set of procfs paths that we mark read-only in the containerizer, but there are additional paths that are considered sensitive by other containerizers and are masked altogether:
"/proc/asound" "/proc/acpi" "/proc/kcore" "/proc/keys" "/proc/latency_stats" "/proc/timer_list" "/proc/timer_stats" "/proc/sched_debug" "/sys/firmware" "/proc/scsi"
Masking is done by mounting /dev/null on files, and an empty, readonly tmpfs on directories.