With the widespread application of container technology, the security and isolation of containers have attracted significant attention. Currently, a large number of container escape vulnerabilities persist in various container tools, with the security vulnerabilities due to inadequate container file system isolation becoming a type of security threat that occupies a significant proportion. This kind of vulnerability allows attackers to manipulate file path resolution processes within containers or steal file descriptors from the host machine during interactions between containers and the host machine. Although multiple fix methods have been practiced by various container tool communities, these vulnerabilities cannot be thoroughly eliminated, and even new similar vulnerabilities are introduced due to the incomplete fix. It is necessary to improve container file system isolation mechanisms at the kernel level to thoroughly eliminate these vulnerabilities. Therefore, this study proposes a fine-grained isolation enhancement mechanism for container file systems, which extends container file system isolation from merely isolating file system mount points to the inode level. This mechanism involves marking the inode of files within containers to distinguish the file objects of containers and the host machine, followed by designing and implementing access control between containers and the host machine based on these markings to enhance file system isolation between containers and the host machine. Experimental results demonstrate that this mechanism can effectively prevent all file system-related container escape vulnerabilities, and the introduced average overhead is less than 2%, significantly lower than the overhead introduced by vulnerability patches provided by container tools.