提交 030e9664 编写于 作者: E Eric W. Biederman 提交者: Daniel P. Berrange

lxc: set nosuid+nodev+noexec flags on /proc/sys mount

Future kernels will mandate the use of nosuid+nodev+noexec
flags when mounting the /proc/sys filesystem. Unconditionally
add them now since they don't harm things regardless and could
mitigate future security attacks.

(cherry picked from commit 24710414)
上级 d7395473
...@@ -850,7 +850,7 @@ typedef struct { ...@@ -850,7 +850,7 @@ typedef struct {
static const virLXCBasicMountInfo lxcBasicMounts[] = { static const virLXCBasicMountInfo lxcBasicMounts[] = {
{ "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false }, { "proc", "/proc", "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, false, false, false },
{ "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_RDONLY, false, false, false }, { "/proc/sys", "/proc/sys", NULL, MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
{ "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true }, { "/.oldroot/proc/sys/net/ipv4", "/proc/sys/net/ipv4", NULL, MS_BIND, false, false, true },
{ "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true }, { "/.oldroot/proc/sys/net/ipv6", "/proc/sys/net/ipv6", NULL, MS_BIND, false, false, true },
{ "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false }, { "sysfs", "/sys", "sysfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, false, false, false },
...@@ -1030,7 +1030,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled, ...@@ -1030,7 +1030,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled,
if (bindOverReadonly && if (bindOverReadonly &&
mount(mnt_src, mnt->dst, NULL, mount(mnt_src, mnt->dst, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { MS_BIND|MS_REMOUNT|mnt_mflags|MS_RDONLY, NULL) < 0) {
virReportSystemError(errno, virReportSystemError(errno,
_("Failed to re-mount %s on %s flags=%x"), _("Failed to re-mount %s on %s flags=%x"),
mnt_src, mnt->dst, mnt_src, mnt->dst,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册