jail: mount /sys read-only

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle 2020-04-12 20:39:05 +0000
committer: Daniel Golle 2020-04-13 01:05:42 +0000
commit: 4953b7c4c03472efeadaa2fe89463e4c6d82533a (patch)
tree: 74f8eb2afd53d331277f7b0852203a37e7ffc8a0
parent: 511fd97b5355dd51632f48cf2354eeb7e6aa6260 (diff)
download: procd-4953b7c4c03472efeadaa2fe89463e4c6d82533a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/jail/jail.c b/jail/jail.c
index 25b847d..052a78e 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -302,7 +302,7 @@ static int build_jail_fs(void)
 	}
 	if (opts.sysfs) {
 		mkdir("/sys", 0755);
-		mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
+		mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0);
 	}
 	if (opts.ronly)
 		mount(NULL, "/", NULL, MS_RDONLY | MS_REMOUNT, 0);
author	Daniel Golle	2020-04-12 20:39:05 +0000
committer	Daniel Golle	2020-04-13 01:05:42 +0000
commit	4953b7c4c03472efeadaa2fe89463e4c6d82533a (patch)
tree	74f8eb2afd53d331277f7b0852203a37e7ffc8a0
parent	511fd97b5355dd51632f48cf2354eeb7e6aa6260 (diff)
download	procd-4953b7c4c03472efeadaa2fe89463e4c6d82533a.tar.gz