From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 13 Jul 2020 08:57:05 +0000 (+0100)
Subject: jail: don't make mount source read-only
X-Git-Url: http://git.openwrt.org/%22https:/collectd.org//%22http:/www.crowdsec.net/%22/%22https:/collectd.org/%22http:/www.crowdsec.net/%22?a=commitdiff_plain;h=b586e7d693d39247d854b03c15610173b7a42f61;p=project%2Fprocd.git

jail: don't make mount source read-only

From mount(2):
Specifying mountflags as:
  MS_REMOUNT | MS_BIND | MS_RDONLY
will make access through this mountpoint read-only, without affecting
other mount points.
Hence use MS_BIND when remounting container rootfs read-only.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---

diff --git a/jail/jail.c b/jail/jail.c
index e8abd8a..aa6288e 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -533,7 +533,7 @@ static int build_jail_fs(void)
 		mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0);
 	}
 	if (opts.ronly)
-		mount(NULL, "/", NULL, MS_RDONLY | MS_REMOUNT, 0);
+		mount(NULL, "/", NULL, MS_REMOUNT | MS_BIND | MS_RDONLY, 0);
 
 	return 0;
 }