Information
You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode.
/
/boot
/dev
/etc
/lib
/proc
/sys
/usr
Rationale:
If sensitive directories are mounted in read-write mode, it could be possible to make changes to files within them. This has obvious security implications and should be avoided.
Impact:
None.
Solution
You should not mount directories which are security sensitive on the host within containers, especially in read-write mode.
Default Value:
Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.