If we enabled user ns and provided a uid/gid map, we do not need to mount /proc, /sys as readonly. Leave it to kernel for protection. Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> --- src/lxc/lxc_container.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 1b9e2f2..3b5845a 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -983,6 +983,12 @@ static int lxcContainerMountBasicFS(bool userns_enabled, goto cleanup; } + /* don't readonly mount when userns is enabled */ + if (userns_enabled) { + VIR_FREE(mnt_src); + continue; + } + if (bindOverReadonly && mount(mnt_src, mnt->dst, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { -- 1.9.3 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list