3:55 p.m.
Jorge Fábregas <jorge.fabregas(a)gmail.com> writes:
On 9/6/21 11:34 AM, Giuseppe Scrivano wrote:
> exactly. root can create mounts directly in the current mount namespace
> so it doesn't need to create a new one owned by a different user
> namespace.
Ok, I see this now. Forgot the part that regular users can't create new
mount points. I was mainly concentrating in the "isolation" aspect of a
new mount namespace.
Wouldn't new mount namespace for rootful containers provide an extra
isolation?
for rootless it is more of a necessity than for extra security.
In the new mount namespace it is still possible to access all the
existing mount points from the host.
For root, it could make sense to have a separate mount namespace so that
the mount points won't be visible from the host. This setup is not
currently supported, you'd need to create it manually.
Giuseppe