From: Franck Bui <fbui@suse.com>
Date: Mon, 10 Sep 2018 12:17:32 +0000 (+0200)
Subject: nspawn: always use mode 555 for /sys
X-Git-Tag: v240~742
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=03d0f4b58ee9fc5d80de7d068613de7c2baad4b7;p=thirdparty%2Fsystemd.git

nspawn: always use mode 555 for /sys

When a network namespace is needed, /sys is mounted as tmpfs (see commit
d8fc6a000fe21b0c1ba27f for details).

But in this case mode 755 was used as initial permissions for /sys whereas the
default mode for sysfs is 555.

In practice using 755 doesn't have any impact because /sys is mounted read-only
too but for consistency, let's use the correct mode.

Fixes: #10050
---

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index 1279b9bb3ea..995022272a0 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -550,7 +550,7 @@ int mount_all(const char *dest,
                 /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
                 { "tmpfs",           "/tmp",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                   MOUNT_FATAL },
-                { "tmpfs",           "/sys",            "tmpfs", "mode=755",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "tmpfs",           "/sys",            "tmpfs", "mode=555",  MS_NOSUID|MS_NOEXEC|MS_NODEV,
                   MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
                 { "sysfs",           "/sys",            "sysfs", NULL,        MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
                   MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO },    /* skipped if above was mounted */