Security of fuse-overlayfs with LXC (unprivileged)

IceRoute · February 5, 2021, 9:44pm

To support Docker in my unprivileged LXC container and avoid using the very inefficient “VFS” storage driver, I decided to use “fuse-overlayfs”.

To accomplish that I added the following config to my container:

#Required for Docker overlayfs
#fuse-overlayfs package installed both on host and inside container
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0

This setup works flawlessly, but how secure is it?

Is it any better than using overlay with “modprobe overlay permit_mounts_in_userns=1” on the host, which would allow an attacker in the container to gain host root privileges ? (https://lwn.net/Articles/671641/)

stgraber · February 6, 2021, 4:19am

FUSE should be slightly safer by running the filesystem in userspace, it will be significantly slower than unprivileged overlay though.

There’s no security concerns that I’m aware of with exposing /dev/fuse to the container, FUSE has been properly namespaced or a while now and we expose it by default to all LXD containers.

IceRoute · February 7, 2021, 1:47pm

Thanks a lot for clarifying. For my setup security is more important than performance so I accept the performance decrease fuse causes.