From 5b6f9369c7123eb821c8eedce1f907aa3cfe54bc Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Wed, 16 Mar 2016 23:12:57 -0700 Subject: [PATCH] cgfsng: two fixes for cgroup-full We need to pass nosuid+nexec+nodev to remount to stop the kernel from denying it. When remounting the container's path read-write, use the right dest path. Signed-off-by: Serge Hallyn --- src/lxc/cgfsng.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lxc/cgfsng.c b/src/lxc/cgfsng.c index 4432f87e9..cf753199f 100644 --- a/src/lxc/cgfsng.c +++ b/src/lxc/cgfsng.c @@ -1238,7 +1238,9 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest, return -1; } if (type != LXC_AUTO_CGROUP_FULL_RW) { - if (mount(NULL, dest, "cgroup", MS_BIND | MS_REMOUNT | MS_RDONLY, NULL) < 0) { + unsigned long flags = MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV | + MS_REMOUNT | MS_RDONLY; + if (mount(NULL, dest, "cgroup", flags, NULL) < 0) { SYSERROR("Error remounting %s readonly", dest); return -1; } @@ -1250,7 +1252,7 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest, /* mount just the container path rw */ char *source = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL); - char *rwpath = must_make_path(dest, container_cgroup, NULL); + char *rwpath = must_make_path(dest, h->base_cgroup, container_cgroup, NULL); if (mount(source, rwpath, "cgroup", MS_BIND, NULL) < 0) WARN("Failed to mount %s read-write: %m", rwpath); INFO("Made %s read-write", rwpath); -- 2.47.2