From: Daniel Golle <daniel@makrotopia.org>
Date: Thu, 22 Oct 2020 01:44:14 +0000 (+0100)
Subject: jail: mount more stuff read-only
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=ec461ffea89001b4c12196aa64c8235bbb8dfcc4;p=project%2Fprocd.git

jail: mount more stuff read-only

Mount /etc/resolv.conf, /etc/passwd, /etc/group and /etc/nsswitch.conf
read-only in ujail slim-containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---

diff --git a/jail/jail.c b/jail/jail.c
index 08e95e9..9f806b5 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2602,17 +2602,17 @@ static void post_main(struct uloop_timeout *t)
 	if (has_namespaces()) {
 		if (opts.namespace & CLONE_NEWNS) {
 			if (!opts.extroot && (opts.user || opts.group)) {
-				add_mount_bind("/etc/passwd", 0, -1);
-				add_mount_bind("/etc/group", 0, -1);
+				add_mount_bind("/etc/passwd", 1, -1);
+				add_mount_bind("/etc/group", 1, -1);
 			}
 
 #if defined(__GLIBC__)
 			if (!opts.extroot)
-				add_mount_bind("/etc/nsswitch.conf", 0, -1);
+				add_mount_bind("/etc/nsswitch.conf", 1, -1);
 #endif
 
 			if (!(opts.namespace & CLONE_NEWNET)) {
-				add_mount_bind("/etc/resolv.conf", 0, -1);
+				add_mount_bind("/etc/resolv.conf", 1, -1);
 			} else if (opts.setns.net == -1) {
 				char hostdir[PATH_MAX];