cgfsng: two fixes for cgroup-full

We need to pass nosuid+nexec+nodev to remount to stop the kernel
from denying it.

When remounting the container's path read-write, use the right dest
path.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/cgfsng.c b/src/lxc/cgfsng.c
index 4432f87e903625ef2a88726ac5050bcc85df14c4..cf753199f3396f5cfc2f2ae9b02d696bb29a24e3 100644 (file)
--- a/src/lxc/cgfsng.c
+++ b/src/lxc/cgfsng.c
@@ -1238,7 +1238,9 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,
                return -1;
        }
        if (type != LXC_AUTO_CGROUP_FULL_RW) {
-               if (mount(NULL, dest, "cgroup", MS_BIND | MS_REMOUNT | MS_RDONLY, NULL) < 0) {
+               unsigned long flags = MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV |
+                                     MS_REMOUNT | MS_RDONLY;
+               if (mount(NULL, dest, "cgroup", flags, NULL) < 0) {
                        SYSERROR("Error remounting %s readonly", dest);
                        return -1;
                }
@@ -1250,7 +1252,7 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,
 
        /* mount just the container path rw */
        char *source = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL);
-       char *rwpath = must_make_path(dest, container_cgroup, NULL);
+       char *rwpath = must_make_path(dest, h->base_cgroup, container_cgroup, NULL);
        if (mount(source, rwpath, "cgroup", MS_BIND, NULL) < 0)
                WARN("Failed to mount %s read-write: %m", rwpath);
        INFO("Made %s read-write", rwpath);