jail: mount more stuff read-only

[project/procd.git] / jail / jail.c

diff --git a/jail/jail.c b/jail/jail.c
index 08e95e9903fce2190a03a99ed5198ecf187908d5..9f806b579be346c81bcea4bec00dceb3425c0f41 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2602,17 +2602,17 @@ static void post_main(struct uloop_timeout *t)
        if (has_namespaces()) {
                if (opts.namespace & CLONE_NEWNS) {
                        if (!opts.extroot && (opts.user || opts.group)) {
-                               add_mount_bind("/etc/passwd", 0, -1);
-                               add_mount_bind("/etc/group", 0, -1);
+                               add_mount_bind("/etc/passwd", 1, -1);
+                               add_mount_bind("/etc/group", 1, -1);
                        }
 
 #if defined(__GLIBC__)
                        if (!opts.extroot)
-                               add_mount_bind("/etc/nsswitch.conf", 0, -1);
+                               add_mount_bind("/etc/nsswitch.conf", 1, -1);
 #endif
 
                        if (!(opts.namespace & CLONE_NEWNET)) {
-                               add_mount_bind("/etc/resolv.conf", 0, -1);
+                               add_mount_bind("/etc/resolv.conf", 1, -1);
                        } else if (opts.setns.net == -1) {
                                char hostdir[PATH_MAX];