BindMount¶

Authorize the request only if the bind mount option doesn’t run over the defined rules.

Checks are recursive. Every paths not explicitly defined are disallowed. A path not terminated by a / will be considered as starting blob (/foo*).

Path starting with + represent an allowed path, hence, path starting with - will be disallowed. The special key $USER will be replaced by the current connected user. You can escape the $ sign by preceding it by a ` (“$USER”) to use `$USER as a litteral.

BindMount are on evaluated only if the action include binded paths. That’s the case for:

ContainersCreate

Example usage¶

policies.yml¶

---

- description: Allow everything if bind mounts are validated.
  hosts:
    - +.*
  default: Allow
  policies:
    - members:
        - users
      rules:
        any:
          BindMount:
            - "-/"
            - "+/home/$USER/"
            - "+/0/"
            - "-/mnt/something-"

...