On Fri, 10 Feb 2023 at 12:58:50 +0100, Johannes Schauer Marin Rodrigues wrote:
> So the secret of
> bind-mounting proc in a privileged docker container is to use --rbind.
I assume this is because if you have "covered up" a sensitive or dangerous
part of /proc to stop processes inside the container from poking it
(for example mounting an empty file or inaccessible device node over
/proc/sysrq-trigger), doing a non-recursive mount would "uncover" it,
which is undesirable if you want your container to be anything vaguely
resembling a security boundary.
smcv
