Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
Description
When setting up the container filesystems, we use `pre_exec_commands` to make ABI symlinks and other things. The problem with this is that, depending of the order of operations, we may not have the full security policy in place yet, but since we are running in the context of the container's mount namespaces, the programs we execute are under the control of whoever built the container image.
jieyu and I previously discussed adding filesystem operations to the `ContainerLaunchInfo`. Just `ln` would be sufficient for the `cgroups` and `linux/filesystem` isolators. Secrets and port mapping isolators need more, so we should discuss and file new tickets if necessary.