From: Eric W. Biederman <ebiederm@xmission.com>
Date: Tue, 16 Jun 2015 13:44:36 +0000 (+0100)
Subject: lxc: set nosuid+nodev+noexec flags on /proc/sys mount
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bda5f2bddaa9cd5765baf77c9d21dc8131ad30a6;p=thirdparty%2Flibvirt.git

lxc: set nosuid+nodev+noexec flags on /proc/sys mount

Future kernels will mandate the use of nosuid+nodev+noexec
flags when mounting the /proc/sys filesystem. Unconditionally
add them now since they don't harm things regardless and could
mitigate future security attacks.

(cherry picked from commit 24710414d403f1040794299f5304fee160d0fc23)

Conflicts:
    src/lxc/lxc_container.c
---

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 95ee68adef..28dabecbbd 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -760,7 +760,7 @@ typedef struct {
 
 static const virLXCBasicMountInfo lxcBasicMounts[] = {
     { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false },
-    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false },
+    { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
     { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false },
     { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true },
 #if WITH_SELINUX
@@ -926,7 +926,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
 
         if (bindOverReadonly &&
             mount(mnt_src, mnt->dst, NULL,
-                  MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+                  MS_BIND|MS_REMOUNT|mnt_mflags|MS_RDONLY, NULL) < 0) {
             virReportSystemError(errno,
                                  _("Failed to re-mount %s on %s flags=%x"),
                                  mnt_src, mnt->dst,