Key Type Default Live update Condition Description security.syscalls.intercept.mount boolean false no container Handles the mount system call security.syscalls.intercept.mount.allowed string - yes container Specify a comma-separated list of filesystems that are safe to mount for processes inside the instance security.syscalls.intercept.mount.fuse string - yes container Whether to mount shiftfs on top of filesystems handled through mount syscall interception security.syscalls.intercept.mount.shift boolean false yes container Whether to redirect mounts of a given filesystem to their fuse implemenation (e.g. ext4=fuse2fs)
I have a couple questions:
- Are the ‘mount.allowed’ and ‘mount.fuse’ options mutually exclusive? In other words, if ‘ext4’ is in the ‘mount.allowed’ list then ‘ext4=fuse2fs’ can’t be in ‘mount.fuse’ also, right?
- Are the comments for ‘mount.fuse’ and ‘mount.shift’ swapped? The one for shift makes mention of fuse and the one for fuse makes mention of shiftfs.