From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 17 Aug 2021 09:07:38 +0000 (+0200)
Subject: busybox: mount sys:ro
X-Git-Tag: lxc-5.0.0~108^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8829829debe9456f4207c60a15fc85e7c44bd575;p=thirdparty%2Flxc.git

busybox: mount sys:ro

There's no udev so sys doesn't need to be read-write.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
index 266be60cc..3306b5e63 100644
--- a/templates/lxc-busybox.in
+++ b/templates/lxc-busybox.in
@@ -234,7 +234,7 @@ lxc.cap.drop = sys_module mac_admin mac_override sys_time
 # When using LXC with apparmor, uncomment the next line to run unconfined:
 #lxc.apparmor.profile = unconfined
 
-lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.auto = cgroup:mixed proc:mixed sys:ro
 lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
 lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
 EOF