jail: mount more stuff read-only

author Daniel Golle <daniel@makrotopia.org>

Thu, 22 Oct 2020 01:44:14 +0000 (02:44 +0100)

committer Daniel Golle <daniel@makrotopia.org>

Thu, 22 Oct 2020 01:44:38 +0000 (02:44 +0100)
author Daniel Golle <daniel@makrotopia.org>
Thu, 22 Oct 2020 01:44:14 +0000 (02:44 +0100)
committer Daniel Golle <daniel@makrotopia.org>
Thu, 22 Oct 2020 01:44:38 +0000 (02:44 +0100)
diff --git a/jail/jail.c b/jail/jail.c

index 08e95e9903fce2190a03a99ed5198ecf187908d5..9f806b579be346c81bcea4bec00dceb3425c0f41 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2602,17 +2602,17 @@ static void post_main(struct uloop_timeout *t)
         if (has_namespaces()) {
                 if (opts.namespace & CLONE_NEWNS) {
                         if (!opts.extroot && (opts.user || opts.group)) {
-                               add_mount_bind("/etc/passwd", 0, -1);
-                               add_mount_bind("/etc/group", 0, -1);
+                               add_mount_bind("/etc/passwd", 1, -1);
+                               add_mount_bind("/etc/group", 1, -1);
                         }
  
  #if defined(__GLIBC__)
                         if (!opts.extroot)
-                               add_mount_bind("/etc/nsswitch.conf", 0, -1);
+                               add_mount_bind("/etc/nsswitch.conf", 1, -1);
  #endif
  
                         if (!(opts.namespace & CLONE_NEWNET)) {
-                               add_mount_bind("/etc/resolv.conf", 0, -1);
+                               add_mount_bind("/etc/resolv.conf", 1, -1);
                         } else if (opts.setns.net == -1) {
                                 char hostdir[PATH_MAX];
author	Daniel Golle <daniel@makrotopia.org>
	Thu, 22 Oct 2020 01:44:14 +0000 (02:44 +0100)
committer	Daniel Golle <daniel@makrotopia.org>
	Thu, 22 Oct 2020 01:44:38 +0000 (02:44 +0100)