nspawn: mount a new /proc instance in the container so that we don't see the hosts...

author Lennart Poettering <lennart@poettering.net>

Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)

committer Lennart Poettering <lennart@poettering.net>

Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)
author Lennart Poettering <lennart@poettering.net>
Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)
committer Lennart Poettering <lennart@poettering.net>
Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)
diff --git a/src/nspawn.c b/src/nspawn.c

index 8f3cd74..8d7e0d0 100644 (file)
--- a/src/nspawn.c
+++ b/src/nspawn.c
@@ -124,7 +124,7 @@ static int mount_all(const char *dest) {
          } MountPoint;
  
          static const MountPoint mount_table[] = {
-                { "/proc",     "/proc",     "bind",  NULL,       MS_BIND, true                       },
+                { "proc",      "/proc",     "proc",  NULL,       MS_NOSUID|MS_NOEXEC|MS_NODEV, true  },
                  { "/proc/sys", "/proc/sys", "bind",  NULL,       MS_BIND, true                       },   /* Bind mount first */
                  { "/proc/sys", "/proc/sys", "bind",  NULL,       MS_BIND|MS_RDONLY|MS_REMOUNT, true  },   /* Then, make it r/o */
                  { "/sys",      "/sys",      "bind",  NULL,       MS_BIND,                      true  },   /* Bind mount first */
author	Lennart Poettering <lennart@poettering.net>
	Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Sat, 23 Jul 2011 13:54:52 +0000 (15:54 +0200)