How to disallow the Docker Daemon to mount host's root file system into the container
Solution 1:
SELinux will prevent anything not correctly labelled to be mounted as a volume inside a docker container, as proof, here using a single file, same policy applies to directories:
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
Using the sample file:
$ cat sample_script.sh
echo 'Hello, world'
Its default security context is:
$ ls -lrtZ sample_script.sh
-rw-------. 1 david david unconfined_u:object_r:user_home_t:s0 20 Oct 3 17:18 sample_script.sh
Trying to use this file inside a container fails as expected:
$ docker run -v /home/david/sample_script.sh:/sample_script.sh --rm ubuntu bash sample_script.sh
bash: sample_script.sh: Permission denied
And an AVC denial will be logged:
$ sudo ausearch -m avc -ts recent
time->Mon Oct 3 17:39:28 2016
type=AVC msg=audit(1475512768.444:784): avc: denied { read } for pid=28720 comm="bash" name="sample_script.sh" dev="dm-13" ino=101062112 scontext=system_u:system_r:svirt_lxc_net_t:s0:c457,c992 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
After changing the security context to one Docker can use:
$ sudo chcon -Rt svirt_sandbox_file_t sample_script.sh
$ ls -lrtZ sample_script.sh
-rw-------. 1 david david unconfined_u:object_r:svirt_sandbox_file_t:s0 20 Oct 3 17:18 sample_script.sh
The container now has access to the file:
$ docker run -v /home/david/sample_script.sh:/sample_script.sh --rm ubuntu bash sample_script.sh
Hello, world
More information about Docker and SELinux in the official Red Hat documentation and this article by Dan Walsh.