[CRIU] [PATCH] proc: mount proc with minimal permissions
Andrey Vagin
avagin at openvz.org
Thu Jun 18 05:30:40 PDT 2015
Eric wants to restrict permissions for proc mounts in a non-root userns
according with proc mounts in the root userns.
Author: Eric W. Biederman <ebiederm at xmission.com>
Date: Fri May 8 23:49:47 2015 -0500
mnt: Modify fs_fully_visible to deal with locked ro nodev and atime
Ignore an existing mount if the locked readonly, nodev or atime
attributes are less permissive than the desired attributes
of the new mount.
...
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
cr-restore.c | 2 +-
test/zdtm/lib/ns.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/cr-restore.c b/cr-restore.c
index 418c4ea..de37491 100644
--- a/cr-restore.c
+++ b/cr-restore.c
@@ -1364,7 +1364,7 @@ static int mount_proc(void)
}
pr_info("Mount procfs in %s\n", proc_mountpoint);
- if (mount("proc", proc_mountpoint, "proc", MS_MGC_VAL, NULL)) {
+ if (mount("proc", proc_mountpoint, "proc", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL)) {
pr_perror("mount failed");
rmdir(proc_mountpoint);
return -1;
diff --git a/test/zdtm/lib/ns.c b/test/zdtm/lib/ns.c
index 4b4ef6b..ecf1e0c 100644
--- a/test/zdtm/lib/ns.c
+++ b/test/zdtm/lib/ns.c
@@ -87,7 +87,7 @@ static int prepare_mntns()
* if they are already mounted when the user namespace is created.
* So ./old must be umounted after mounting /proc and /sys.
*/
- if (mount("proc", "/proc", "proc", MS_MGC_VAL, NULL)) {
+ if (mount("proc", "/proc", "proc", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL)) {
fprintf(stderr, "mount(/proc) failed: %m\n");
return -1;
}
--
2.1.0
More information about the CRIU
mailing list