nspawn: always use mode 555 for /sys

When a network namespace is needed, /sys is mounted as tmpfs (see commit
d8fc6a000fe21b0c1ba27f for details).

But in this case mode 755 was used as initial permissions for /sys whereas the
default mode for sysfs is 555.

In practice using 755 doesn't have any impact because /sys is mounted read-only
too but for consistency, let's use the correct mode.

Fixes: #10050

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index 1279b9bb3eacf11a9194b2f81bd2d85a16730fd3..995022272a0f9afabf2afe885268cdd63867e44b 100644 (file)
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -550,7 +550,7 @@ int mount_all(const char *dest,
                 /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
                 { "tmpfs",           "/tmp",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                   MOUNT_FATAL },
-                { "tmpfs",           "/sys",            "tmpfs", "mode=755",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "tmpfs",           "/sys",            "tmpfs", "mode=555",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
                   MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
                 { "sysfs",           "/sys",            "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
                   MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO },    /* skipped if above was mounted */