sshd: Don't bind-mount /sbin/init read-write

lxc-sshd was mounting itself (the template script) as /sbin/init in the
container using a writable bind-mount.

This shouldn't be needed and could lead to quite a few problems should
one of those containers overwrite /sbin/init for some reason.

Instead simply move to a read-only bind-mount which should prevent any
accidental dammage.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/templates/lxc-sshd.in b/templates/lxc-sshd.in
index b8df78f07622fb3c1dd18eaf568441e7fc09717a..bbbea62f97063b917c87b39c67e5665b5f5d8c63 100644 (file)
--- a/templates/lxc-sshd.in
+++ b/templates/lxc-sshd.in
@@ -128,7 +128,7 @@ lxc.mount.entry = /bin bin none ro,bind 0 0
 lxc.mount.entry = /usr usr none ro,bind 0 0
 lxc.mount.entry = /sbin sbin none ro,bind 0 0
 lxc.mount.entry = tmpfs var/run/sshd tmpfs mode=0644 0 0
-lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none bind 0 0
+lxc.mount.entry = @LXCTEMPLATEDIR@/lxc-sshd sbin/init none ro,bind 0 0
 lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry = sysfs sys sysfs ro 0 0
 lxc.mount.entry = /etc/init.d etc/init.d none ro,bind 0 0