A regular user allowed to run docker on the host can use docker run -u 0 with -v to start a container and access the host filesystem as root through the container. This is one of the things I want to prevent.
I want to allow certain regular users to docker run any image available on the host but require that they always run effectively with container user and group matching their host user and group. This way they can't escalate their privilege to access the host filesystem. Other users (admin users) will still have full access. Is this feasible?
(Ideally I also need to disallow regular users from changing images but that's another question.)
While I want to prevent privilege escalation that allows access to things like /bin on the host, I still want to allow a user to bind-mount a directory that he has access to on the host at the same privilege level, e.g. his own home directory. Some people may think that this question has all the answers to my question, but it does not: Just using --userns-remap=default seems to even block access to files that a user already has access to on the host; with --userns-remap=default, the same user is allowed to write to some directory on the host but not allowed to write to the same bind-mounted directory in the container, e.g. his own home directory: docker run -v /home/$USER:/home/$USER -u$UID ... I'm not trying to prevent "privilege"; I'm trying to prevent "privilege escalation". The top answer in that question does not say how to still allow access that is available on the host to the same user.
