From bda5f2bddaa9cd5765baf77c9d21dc8131ad30a6 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 16 Jun 2015 14:44:36 +0100 Subject: [PATCH] lxc: set nosuid+nodev+noexec flags on /proc/sys mount Future kernels will mandate the use of nosuid+nodev+noexec flags when mounting the /proc/sys filesystem. Unconditionally add them now since they don't harm things regardless and could mitigate future security attacks. (cherry picked from commit 24710414d403f1040794299f5304fee160d0fc23) Conflicts: src/lxc/lxc_container.c --- src/lxc/lxc_container.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 95ee68adef..28dabecbbd 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -760,7 +760,7 @@ typedef struct { static const virLXCBasicMountInfo lxcBasicMounts[] = { { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false }, - { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false }, + { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false }, { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false }, { "securityfs", "/sys/kernel/security", "securityfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, true, true }, #if WITH_SELINUX @@ -926,7 +926,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled, if (bindOverReadonly && mount(mnt_src, mnt->dst, NULL, - MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { + MS_BIND|MS_REMOUNT|mnt_mflags|MS_RDONLY, NULL) < 0) { virReportSystemError(errno, _("Failed to re-mount %s on %s flags=%x"), mnt_src, mnt->dst, -- 2.47.2