Allowing mounts in containers is dangerous. Bugs in
mount namespaces or quirks of the container configuration
could allow for various breakouts.
By default, processes in containers will not be able to mount anyway,
rendering the allowances in the default AppArmor profile nearly
useless. Manually created sub-containers were able to mount, but
were yet restricted from performing most of the mounts flags indicated
in the profile.
Signed-off-by: Eric Windisch <eric@windisch.us>
also document that the executor will only try to remove all the children in a
best-effort way.
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
This document specifies the current container specification with all the
underlying setup and configuration that goes into making a container.
This is the v1 spec that is today but allows for flexability when we
introduce more features such as seccomp default profiles and more.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Eric Windisch
Qiang Huang
Daniel, Dao Quang Minh
Michael Crosby