From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Currently to make sysfs readonly, we remount the existing
instance and then bind it readonly. Unfortunately this means
sysfs is still showing device objects wrt the host OS namespace.
We need it to reflect the container namespace, so we must mount
a completely new instance of it.
* src/lxc/lxc_container.c: Mount fresh sysfs instance
---
src/lxc/lxc_container.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b953646..77d33e1 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -441,8 +441,7 @@ static int lxcContainerMountBasicFS(lxc_child_argv_t *argv, const char *srcprefi
{ false, "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
{ false, "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
- { true, "/sys", "/sys", NULL, NULL, MS_BIND },
- { true, "/sys", "/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
+ { false, "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY },
#if HAVE_SELINUX
{ true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND },
{ true, SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
--
1.7.10.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list