From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Thu, 17 Mar 2016 06:12:57 +0000 (-0700)
Subject: cgfsng: two fixes for cgroup-full
X-Git-Tag: lxc-2.0.0.rc11~3^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F899%2Fhead;p=thirdparty%2Flxc.git

cgfsng: two fixes for cgroup-full

We need to pass nosuid+nexec+nodev to remount to stop the kernel
from denying it.

When remounting the container's path read-write, use the right dest
path.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/cgfsng.c b/src/lxc/cgfsng.c
index 4432f87e9..cf753199f 100644
--- a/src/lxc/cgfsng.c
+++ b/src/lxc/cgfsng.c
@@ -1238,7 +1238,9 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,
 		return -1;
 	}
 	if (type != LXC_AUTO_CGROUP_FULL_RW) {
-		if (mount(NULL, dest, "cgroup", MS_BIND | MS_REMOUNT | MS_RDONLY, NULL) < 0) {
+		unsigned long flags = MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV |
+				      MS_REMOUNT | MS_RDONLY;
+		if (mount(NULL, dest, "cgroup", flags, NULL) < 0) {
 			SYSERROR("Error remounting %s readonly", dest);
 			return -1;
 		}
@@ -1250,7 +1252,7 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,
 
 	/* mount just the container path rw */
 	char *source = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL);
-	char *rwpath = must_make_path(dest, container_cgroup, NULL);
+	char *rwpath = must_make_path(dest, h->base_cgroup, container_cgroup, NULL);
 	if (mount(source, rwpath, "cgroup", MS_BIND, NULL) < 0)
 		WARN("Failed to mount %s read-write: %m", rwpath);
 	INFO("Made %s read-write", rwpath);