jail: mount more stuff read-only

Mount /etc/resolv.conf, /etc/passwd, /etc/group and /etc/nsswitch.conf
read-only in ujail slim-containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

1 files changed, 4 insertions, 4 deletions

diff --git a/jail/jail.c b/jail/jail.c
index 08e95e9..9f806b5 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2602,17 +2602,17 @@ static void post_main(struct uloop_timeout *t)
 	if (has_namespaces()) {
 		if (opts.namespace & CLONE_NEWNS) {
 			if (!opts.extroot && (opts.user || opts.group)) {
-				add_mount_bind("/etc/passwd", 0, -1);
-				add_mount_bind("/etc/group", 0, -1);
+				add_mount_bind("/etc/passwd", 1, -1);
+				add_mount_bind("/etc/group", 1, -1);
 			}
 
 #if defined(__GLIBC__)
 			if (!opts.extroot)
-				add_mount_bind("/etc/nsswitch.conf", 0, -1);
+				add_mount_bind("/etc/nsswitch.conf", 1, -1);
 #endif
 
 			if (!(opts.namespace & CLONE_NEWNET)) {
-				add_mount_bind("/etc/resolv.conf", 0, -1);
+				add_mount_bind("/etc/resolv.conf", 1, -1);
 			} else if (opts.setns.net == -1) {
 				char hostdir[PATH_MAX];