diff options
| author | Lennart Poettering <lennart@poettering.net> | 2019-03-25 19:42:47 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-03-25 19:53:05 +0100 |
| commit | 849b9b85b8faa5accc65ed13c871fbb772e7284d (patch) | |
| tree | 528120b49ed41a3285542f8fc3e46184be79ebf9 /src/nspawn | |
| parent | units: set nodev,nosuid,noexec flags for various secondary API VFS (diff) | |
| download | systemd-849b9b85b8faa5accc65ed13c871fbb772e7284d.tar.xz systemd-849b9b85b8faa5accc65ed13c871fbb772e7284d.zip | |
nspawn: mount mqueue with nodev,noexec,nosuid, too
The host mounts it like that, nspawn hence should do too.
Moreover, mount the file system after doing CLONEW_NEWIPC so that it
actually reflects the right mqueues. Finally, mount it wthout
considering it fatal, since POSIX mqueue support is little used and it
should be fine not to support it in the kernel.
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn-mount.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index a3447d948a..81e3065227 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -580,6 +580,9 @@ int mount_all(const char *dest, PROC_READ_ONLY("/proc/irq"), PROC_READ_ONLY("/proc/scsi"), + { "mqueue", "/dev/mqueue", "mqueue", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, + MOUNT_IN_USERNS }, + /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */ { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP }, @@ -595,8 +598,6 @@ int mount_all(const char *dest, MOUNT_FATAL }, { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, MOUNT_FATAL }, - { "mqueue", "/dev/mqueue", "mqueue", NULL, 0, - MOUNT_FATAL }, #if HAVE_SELINUX { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, |