Re: [lxc-devel] [PATCH] proc:mixed make /proc/sys/net writable

Tue, 03 Feb 2015 14:10:18 -0800 

On Tue, Feb 03, 2015 at 05:57:59PM +0000, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
> 
> Is that safe now?  I thought there were still some items not properly
> namespaced?

I believe it is, yes. Unsafe items are usually not even shown at all in
there nowadays.

This also matches what we're doing with apparmor.

> 
> > ---
> >  src/lxc/conf.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index d711cda..2868708 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -752,8 +752,10 @@ static int lxc_mount_auto_mounts(struct lxc_conf 
> > *conf, int flags, struct lxc_ha
> >              * 2.6.32...
> >              */
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "proc",              
> >                                 "%r/proc",                      "proc",     
> > MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
> > +           { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys/net",   
> >                                 "%r/proc/net",                  NULL,       
> > MS_BIND,                        NULL },
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/sys",       
> >                                 "%r/proc/sys",                  NULL,       
> > MS_BIND,                        NULL },
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                
> >                                 "%r/proc/sys",                  NULL,       
> > MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
> > +           { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, "%r/proc/net",       
> >                                 "%r/proc/sys/net",              NULL,       
> > MS_MOVE,                        NULL },
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, 
> > "%r/proc/sysrq-trigger",                             
> > "%r/proc/sysrq-trigger",        NULL,       MS_BIND,                        
> > NULL },
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_MIXED, NULL,                
> >                                 "%r/proc/sysrq-trigger",        NULL,       
> > MS_REMOUNT|MS_BIND|MS_RDONLY,   NULL },
> >             { LXC_AUTO_PROC_MASK, LXC_AUTO_PROC_RW,    "proc",              
> >                                 "%r/proc",                      "proc",     
> > MS_NODEV|MS_NOEXEC|MS_NOSUID,   NULL },
> > -- 
> > 1.9.1
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

Attachment: signature.asc
Description: Digital signature

_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to