Lab: Host mounts and privileged containers

DISCLAIMER: Host bind mounts of / and --privileged containers are unsafe. Run this lab only on an isolated Linux VM you own. Do not use production or shared systems.

See how bind mounts erase practical separation between a container and the host. The goal is to recognize flags your policies should block.

Lab objective

Lab Objective

Demonstrate host filesystem exposure via bind mounts.
Show host-level access using --privileged + nsenter.
Prove real impact: read, modify, and persist on host from container.
Map each action to what a policy should block.

Host Filesystem Exposure via Bind Mount

Run container with full host mount.

docker run -it --rm --privileged -v /:/host ubuntu bash

Mounts entire host filesystem inside container

Read host sensitive files.

ls -la /host/etc/passwd
cat /host/etc/hostname

Confirms visibility into host system files

Impact: Modify and Persist on Host

Create file on host from inside container.

echo "owned-by-container" > /host/tmp/pwned.txt

Writes directly to host filesystem

Exit container and verify from host.

cat /tmp/pwned.txt

Confirms file write and persistence on host

Next step: Theory: Image CVE scanners, then Lab: Trivy image scan.

Keyboard shortcuts

Container security workshop by peachycloudsecurity

Lab: Host mounts and privileged containers

Lab objective

Lab Objective

Host Filesystem Exposure via Bind Mount

Impact: Modify and Persist on Host