From: Stéphane Graber <stgraber@ubuntu.com>
Date: Fri, 2 May 2014 21:19:55 +0000 (-0400)
Subject: Revert "cgfs: don't mount /sys/fs/cgroup readonly"
X-Git-Tag: lxc-1.1.0.alpha1~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f8f3c3c07126164a90f5b80437e987053ea151f5;p=thirdparty%2Flxc.git

Revert "cgfs: don't mount /sys/fs/cgroup readonly"

This reverts commit 8d783edcae3723a0106d75e1ff31b016e8b1d02c.
---

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index ba7df895a..db2a973ce 100644
--- a/src/lxc/cgfs.c
+++ b/src/lxc/cgfs.c
@@ -1413,6 +1413,14 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
 				SYSERROR("error bind-mounting %s to %s", mp->mount_point, abs_path);
 				goto out_error;
 			}
+			/* main cgroup path should be read-only */
+			if (type == LXC_AUTO_CGROUP_FULL_RO || type == LXC_AUTO_CGROUP_FULL_MIXED) {
+				r = mount(NULL, abs_path, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
+				if (r < 0) {
+					SYSERROR("error re-mounting %s readonly", abs_path);
+					goto out_error;
+				}
+			}
 			/* own cgroup should be read-write */
 			if (type == LXC_AUTO_CGROUP_FULL_MIXED) {
 				r = mount(abs_path2, abs_path2, NULL, MS_BIND, NULL);
@@ -1479,6 +1487,14 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type)
 		parts = NULL;
 	}
 
+	/* try to remount the tmpfs readonly, since the container shouldn't
+	 * change anything (this will also make sure that trying to create
+	 * new cgroups outside the allowed area fails with an error instead
+	 * of simply causing this to create directories in the tmpfs itself)
+	 */
+	if (type != LXC_AUTO_CGROUP_RW && type != LXC_AUTO_CGROUP_FULL_RW)
+		mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
+
 	free(path);
 
 	return true;