]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/nspawn/nspawn-mount.h
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 10af01a) | patch
nspawn: lock down a few things in /proc by default
authorLennart Poettering <lennart@poettering.net>
Mon, 30 Apr 2018 10:22:41 +0000 (12:22 +0200)
committerLennart Poettering <lennart@poettering.net>
Thu, 3 May 2018 15:45:42 +0000 (17:45 +0200)
commitd4b653c589fc103325a22680227fea6f35b2a781
treeed33c06e6a25cf8913d67b27faf6e8553f6f0220tree | snapshot
parent10af01a5ff5a6ede9cc684def71508b88f6b93ebcommit | diff
nspawn: lock down a few things in /proc by default

This tightens security on /proc: a couple of files exposed there are now
made inaccessible. These files might potentially leak kernel internals
or expose non-virtualized concepts, hence lock them down by default.
Moreover, a couple of dirs in /proc that expose stuff also exposed in
/sys are now marked read-only, similar to how we handle /sys.

The list is taken from what docker/runc based container managers
generally apply, but slightly extended.
src/nspawn/nspawn-mount.c diff | blob | blame | history
src/nspawn/nspawn-mount.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.