mirror of
https://github.com/systemd/systemd.git
synced 2024-11-02 02:21:44 +03:00
core: remount /sys/fs/cgroup/ read-only after we mounted all controllers
Given that glibc searches for /dev/shm by just looking for any tmpfs we should be more careful with providing tmpfs instances arbitrary code might end up writing to.
This commit is contained in:
parent
a641dcd9bf
commit
679142ce4a
@ -338,6 +338,10 @@ int mount_cgroup_controllers(char ***join_controllers) {
|
||||
}
|
||||
}
|
||||
|
||||
/* Now that we mounted everything, let's make the tmpfs the
|
||||
* cgroup file systems are mounted into read-only. */
|
||||
mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user