Revert "cgfs: don't mount /sys/fs/cgroup readonly"

This reverts commit 8d783edcae3723a0106d75e1ff31b016e8b1d02c.

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index ba7df895ad86edf544635384a9d6a746ab9a1879..db2a973ce210741c8c6ba18cb950d45ded785d0b 100644 (file)
--- a/src/lxc/cgfs.c
+++ b/src/lxc/cgfs.c
@@ -1413,6 +1413,14 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
                                SYSERROR("error bind-mounting %s to %s", mp->mount_point, abs_path);
                                goto out_error;
                        }
+                       /* main cgroup path should be read-only */
+                       if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_FULL_MIXED) {
+                               r = mount(NULL, abs_path, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
+                               if (r < 0) {
+                                       SYSERROR("error re-mounting %s readonly", abs_path);
+                                       goto out_error;
+                               }
+                       }
                        /* own cgroup should be read-write */
                        if (type == LXC_AUTO_CGROUP_FULL_MIXED) {
                                r = mount(abs_path2, abs_path2, NULL, MS_BIND, NULL);
@@ -1479,6 +1487,14 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
                parts = NULL;
        }
 
+       /* try to remount the tmpfs readonly, since the container shouldn't
+        * change anything (this will also make sure that trying to create
+        * new cgroups outside the allowed area fails with an error instead
+        * of simply causing this to create directories in the tmpfs itself)
+        */
+       if (type != LXC_AUTO_CGROUP_RW && type != LXC_AUTO_CGROUP_FULL_RW)
+               mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
+
        free(path);
 
        return true;