On tis, 2015-03-03 at 09:34 -0800, Andy Lutomirski wrote:
> On Mon, Mar 2, 2015 at 11:59 PM, Alexander Larsson <[email protected]> wrote:
>
> > Also, I'd like to make all the recursively bound subtrees readonly. Is
> > there a better way to do this than enumerating all mounts and remounting
> > all that are under /sys.
> >
> > In fact this is a general problem i have with recursive bind mounts. If
> > I want to grant access to some directory with limited access (for
> > example read-only or nosuid) then I have to use a recursive bind mount,
> > but the remount is not recursive, and furthermore, it does not apply to
> > later mounts that get propagated into my namespace.
> >
>
> Oh, yuck.
>
> We should finally just make readonly bind mounts work in the first
> place. You can partially mitigate this my remounting private before
> you remount ro, though.
I generally run in slave mode, which is what I want here. Either I'm in
hard containment mode, and something like /mnt will not even mounted in
the container, or I'm allowing some form of access to the system/user
files. If this contains e.g. /mnt then I definitely *do* want to get new
mounts (say if the user inserted a usb stick).
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
[email protected] [email protected]
He's an uncontrollable drug-addicted boxer who knows the secret of the
alien invasion. She's a cosmopolitan renegade mechanic from the wrong
side of the tracks. They fight crime!
_______________________________________________
gnome-os-list mailing list
[email protected]
https://mail.gnome.org/mailman/listinfo/gnome-os-list
