mount: Adjust mount flags for unprivileged users

Bind-mounts require us to set MS_REC and remounting any mountpoint
requires us to now downgrade on noexec/nodev/nosuid.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/libpakfire/mount.c b/src/libpakfire/mount.c
index e671a69552cb0709371450ebac86c69d1415024d..cd33a1f31ce53b8e01c22441b36b7132cc71bbab 100644 (file)
--- a/src/libpakfire/mount.c
+++ b/src/libpakfire/mount.c
@@ -43,25 +43,27 @@ static const struct pakfire_mountpoint {
        int flags;
        const char* options;
 } mountpoints[] = {
-       { "pakfire_proc",  "proc",         "proc",  MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
+       { "pakfire_proc",  "proc",          "proc",    MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
 
        // Bind mount /proc/sys as read-only with the following exceptions:
        //  * /proc/sys/net
-       { "/proc/sys",     "proc/sys",     "bind",  MS_BIND, NULL, },
-       { "/proc/sys/net", "proc/sys/net", "bind",  MS_BIND, NULL, },
-       { "/proc/sys",     "proc/sys",     "bind",  MS_BIND|MS_RDONLY|MS_REMOUNT, NULL, },
+       { "/proc/sys",     "proc/sys",      "bind",    MS_BIND|MS_REC, NULL, },
+       { "/proc/sys/net", "proc/sys/net",  "bind",    MS_BIND|MS_REC, NULL, },
+       { "/proc/sys",     "proc/sys",      "bind",
+               MS_BIND|MS_RDONLY|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
 
        // Bind mount /sys as read-only
-       { "/sys",          "sys",          "bind",  MS_BIND, NULL, },
-       { "/sys",          "sys",          "bind",  MS_BIND|MS_RDONLY|MS_REMOUNT, NULL, },
+       { "/sys",          "sys",           "bind",    MS_BIND|MS_REC, NULL, },
+       { "/sys",          "sys",           "bind",
+               MS_BIND|MS_RDONLY|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL, },
 
        // Create a new /dev
-       { "pakfire_dev",   "dev",          "tmpfs", MS_NOSUID|MS_NOEXEC,
+       { "pakfire_dev",   "dev",           "tmpfs",   MS_NOSUID|MS_NOEXEC,
                "mode=755,size=4m,nr_inodes=64k", },
-       { "/dev/pts",      "dev/pts",      "bind",  MS_BIND, NULL, },
+       { "/dev/pts",      "dev/pts",       "bind",    MS_BIND|MS_REC, NULL, },
 
        // Create a new /run
-       { "pakfire_tmpfs", "run",          "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV,
+       { "pakfire_tmpfs", "run",           "tmpfs",   MS_NOSUID|MS_NOEXEC|MS_NODEV,
                "mode=755,size=4m,nr_inodes=1k", },
 
        // The end