Information
You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode.
/
/boot
/dev
/etc
/lib
/proc
/sys
/usr
Rationale:
If sensitive directories are mounted in read-write mode, it could be possible to make changes to files within them. This has obvious security implications and should be avoided.
Solution
You should not mount directories which are security sensitive on the host within containers, especially in read-write mode.
Impact:
None.
Default Value:
Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.