From ec461ffea89001b4c12196aa64c8235bbb8dfcc4 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Thu, 22 Oct 2020 02:44:14 +0100
Subject: [PATCH] jail: mount more stuff read-only

Mount /etc/resolv.conf, /etc/passwd, /etc/group and /etc/nsswitch.conf
read-only in ujail slim-containers.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/jail.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/jail/jail.c b/jail/jail.c
index 08e95e9..9f806b5 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2602,17 +2602,17 @@ static void post_main(struct uloop_timeout *t)
 	if (has_namespaces()) {
 		if (opts.namespace & CLONE_NEWNS) {
 			if (!opts.extroot && (opts.user || opts.group)) {
-				add_mount_bind("/etc/passwd", 0, -1);
-				add_mount_bind("/etc/group", 0, -1);
+				add_mount_bind("/etc/passwd", 1, -1);
+				add_mount_bind("/etc/group", 1, -1);
 			}
 
 #if defined(__GLIBC__)
 			if (!opts.extroot)
-				add_mount_bind("/etc/nsswitch.conf", 0, -1);
+				add_mount_bind("/etc/nsswitch.conf", 1, -1);
 #endif
 
 			if (!(opts.namespace & CLONE_NEWNET)) {
-				add_mount_bind("/etc/resolv.conf", 0, -1);
+				add_mount_bind("/etc/resolv.conf", 1, -1);
 			} else if (opts.setns.net == -1) {
 				char hostdir[PATH_MAX];
 
-- 
2.30.2