Skip to content

option to mount volumes noexec #7054

@ibukanov

Description

@ibukanov

For improved security it would be nice to have an option to mount volumes in the container with noexec flag, similar to the already supported read-only mounts. With noexec the application could not create a new executable by setting the executable permission on a file under its control in a volume. In turn this allows to restrict the application in the container to run only few selected executables.

AFAICS the only way to do it currently is to bind-mount a host directory with noexec option and then pass it to the container with -v flag. However this requires to use non-portable host directories.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions