diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-04-30 12:22:41 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-05-03 17:45:42 +0200 |
| commit | d4b653c589fc103325a22680227fea6f35b2a781 (patch) | |
| tree | ed33c06e6a25cf8913d67b27faf6e8553f6f0220 /src/nspawn/nspawn-mount.h | |
| parent | 10af01a5ff5a6ede9cc684def71508b88f6b93eb (diff) | |
| download | systemd-d4b653c589fc103325a22680227fea6f35b2a781.tar.gz | |
nspawn: lock down a few things in /proc by default
This tightens security on /proc: a couple of files exposed there are now
made inaccessible. These files might potentially leak kernel internals
or expose non-virtualized concepts, hence lock them down by default.
Moreover, a couple of dirs in /proc that expose stuff also exposed in
/sys are now marked read-only, similar to how we handle /sys.
The list is taken from what docker/runc based container managers
generally apply, but slightly extended.
Diffstat (limited to 'src/nspawn/nspawn-mount.h')
| -rw-r--r-- | src/nspawn/nspawn-mount.h | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h index c34b9646ca..db7aadc28e 100644 --- a/src/nspawn/nspawn-mount.h +++ b/src/nspawn/nspawn-mount.h @@ -13,12 +13,13 @@ #include "volatile-util.h" typedef enum MountSettingsMask { - MOUNT_FATAL = 1 << 0, /* if set, a mount error is considered fatal */ - MOUNT_USE_USERNS = 1 << 1, /* if set, mounts are patched considering uid/gid shifts in a user namespace */ - MOUNT_IN_USERNS = 1 << 2, /* if set, the mount is executed in the inner child, otherwise in the outer child */ - MOUNT_APPLY_APIVFS_RO = 1 << 3, /* if set, /proc/sys, and /sysfs will be mounted read-only, otherwise read-write. */ - MOUNT_APPLY_APIVFS_NETNS = 1 << 4, /* if set, /proc/sys/net will be mounted read-write. - Works only if MOUNT_APPLY_APIVFS_RO is also set. */ + MOUNT_FATAL = 1U << 0, /* if set, a mount error is considered fatal */ + MOUNT_USE_USERNS = 1U << 1, /* if set, mounts are patched considering uid/gid shifts in a user namespace */ + MOUNT_IN_USERNS = 1U << 2, /* if set, the mount is executed in the inner child, otherwise in the outer child */ + MOUNT_APPLY_APIVFS_RO = 1U << 3, /* if set, /proc/sys, and /sys will be mounted read-only, otherwise read-write. */ + MOUNT_APPLY_APIVFS_NETNS = 1U << 4, /* if set, /proc/sys/net will be mounted read-write. + Works only if MOUNT_APPLY_APIVFS_RO is also set. */ + MOUNT_INACCESSIBLE_REG = 1U << 5, /* if set, create an inaccessible regular file first and use as bind mount source */ } MountSettingsMask; typedef enum CustomMountType { |