jail: make /proc more secure

Make sure /proc/sys is read-only while keeping read-write access to /proc/sys/net if spawning a new network namespace. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle 2020-04-12 20:12:20 +0000
committer: Daniel Golle 2020-04-13 01:05:42 +0000
commit: 511fd97b5355dd51632f48cf2354eeb7e6aa6260 (patch)
tree: a5997bcd6d6889bf0ef101c900ea55bbc5ecd869
parent: b275a6299e8b1c2e2afcca02a5c333cd3ea60f09 (diff)
download: procd-511fd97b5355dd51632f48cf2354eeb7e6aa6260.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/jail/jail.c b/jail/jail.c
index fa8da01..25b847d 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -286,6 +286,19 @@ static int build_jail_fs(void)
 	if (opts.procfs) {
 		mkdir("/proc", 0755);
 		mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
+		/*
+		 * make /proc/sys read-only while keeping read-write to
+		 * /proc/sys/net if CLONE_NEWNET is set.
+		 */
+		if (opts.namespace & CLONE_NEWNET)
+			mount("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0);
+
+		mount("/proc/sys", "/proc/sys", NULL, MS_BIND, 0);
+		mount(NULL, "/proc/sys", NULL, MS_REMOUNT | MS_RDONLY, 0);
+		mount(NULL, "/proc", NULL, MS_REMOUNT, 0);
+
+		if (opts.namespace & CLONE_NEWNET)
+			mount("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0);
 	}
 	if (opts.sysfs) {
 		mkdir("/sys", 0755);
author	Daniel Golle	2020-04-12 20:12:20 +0000
committer	Daniel Golle	2020-04-13 01:05:42 +0000
commit	511fd97b5355dd51632f48cf2354eeb7e6aa6260 (patch)
tree	a5997bcd6d6889bf0ef101c900ea55bbc5ecd869
parent	b275a6299e8b1c2e2afcca02a5c333cd3ea60f09 (diff)
download	procd-511fd97b5355dd51632f48cf2354eeb7e6aa6260.tar.gz