Originally posted by kloczek
View Post
Container creates a pid namespace and a mount namespace.
Inside the pid namespace, mounting procfs would only give you process inside that namespace.
Inside the mount namespace, you can create mounting without affecting other namespaces.
Originally posted by kloczek
View Post
/dev/full, /dev/null, /dev/zero, /dev/random and /dev/urandom is all created using mknod.
Inside the container, all the other devices has to be manually bind mounted into the container.
https://man7.org/linux/man-pages/man4/random.4.html, see section Configuration
Originally posted by kloczek
View Post
It allows you filter whitelist or blacklist syscalls, and also filter syscalls based on the argument passed.
You could also trigger a ptrace within seccomp.
Comment