[lxc-devel] [distrobuilder/master] shared/chroot: Make /dev/fuse read-only
monstermunchkin on Github
lxc-bot at linuxcontainers.org
Mon Feb 24 13:21:07 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200224/23bc0021/attachment.bin>
-------------- next part --------------
From 0104864f8a6bfcbfea9d991697ac52c12c58eaf9 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Mon, 24 Feb 2020 14:20:29 +0100
Subject: [PATCH] shared/chroot: Make /dev/fuse read-only
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
shared/chroot.go | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/shared/chroot.go b/shared/chroot.go
index e44703e..6b27b01 100644
--- a/shared/chroot.go
+++ b/shared/chroot.go
@@ -57,6 +57,14 @@ func setupMounts(rootfs string, mounts []ChrootMount) error {
}
}
+ // Make sure /dev/fuse is read-only
+ if lxd.PathExists("/dev/fuse") {
+ err = unix.Mount("", "/dev/fuse", "", unix.MS_REMOUNT|unix.MS_BIND|unix.MS_RDONLY, "")
+ if err != nil {
+ return errors.Wrap(err, "Failed to mount '/dev/fuse' read-only")
+ }
+ }
+
return nil
}
More information about the lxc-devel
mailing list