uintptr_t flags = (!njc.mount(i).rw()) ? MS_RDONLY : 0;
flags |= njc.mount(i).is_bind() ? (MS_BIND | MS_REC | MS_PRIVATE) : 0;
+ flags |= njc.mount(i).nosuid() ? MS_NOSUID : 0;
+ flags |= njc.mount(i).nodev() ? MS_NODEV : 0;
+ flags |= njc.mount(i).noexec() ? MS_NOEXEC : 0;
bool is_mandatory = njc.mount(i).mandatory();
bool is_symlink = njc.mount(i).is_symlink();
std::string src_content = njc.mount(i).src_content();
optional bool mandatory = 11 [default = true];
/* Is it a symlink (instead of real mount point)? */
optional bool is_symlink = 12 [default = false];
+ /* Is it a nosuid mount */
+ optional bool nosuid = 13 [default = false];
+ /* Is it a nodev mount */
+ optional bool nodev = 14 [default = false];
+ /* Is it a noexec mount */
+ optional bool noexec = 15 [default = false];
}
enum RLimit {
VALUE = 0; /* Use the provided value */
{MS_RELATIME, ST_RELATIME},
};
- unsigned long new_flags = MS_REMOUNT | MS_BIND | (mpt.flags & MS_RDONLY);
+ const unsigned long per_mountpoint_flags =
+ MS_LAZYTIME | MS_MANDLOCK | MS_NOATIME | MS_NODEV | MS_NODIRATIME | MS_NOEXEC |
+ MS_NOSUID | MS_RELATIME | MS_RDONLY | MS_SYNCHRONOUS;
+ unsigned long new_flags = MS_REMOUNT | MS_BIND | (mpt.flags & per_mountpoint_flags);
for (const auto& i : mountPairs) {
if (vfs.f_flag & i.vfs_flag) {
new_flags |= i.mount_flag;
projects / platform / upstream / nsjail.git / commitdiff