nspawn: mount mqueue with nodev,noexec,nosuid, too

The host mounts it like that, nspawn hence should do too. Moreover, mount the file system after doing CLONEW_NEWIPC so that it actually reflects the right mqueues. Finally, mount it wthout considering it fatal, since POSIX mqueue support is little used and it should be fine not to support it in the kernel.
2025-03-08 08:58:27 +03:00 · 2019-03-25 19:42:47 +01:00 · 2019-03-25 19:42:47 +01:00 · 849b9b85b8
commit 849b9b85b8
parent 5cb02182fd
1 changed files with 3 additions and 2 deletions
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@ -580,6 +580,9 @@ int mount_all(const char *dest,
                PROC_READ_ONLY("/proc/irq"),
                PROC_READ_ONLY("/proc/scsi"),

+                { "mqueue",          "/dev/mqueue",     "mqueue", NULL,       MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                  MOUNT_IN_USERNS },
+
                /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
                { "tmpfs",           "/tmp",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                  MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP },
@ -595,8 +598,6 @@ int mount_all(const char *dest,
                  MOUNT_FATAL },
                { "tmpfs",           "/run",            "tmpfs", "mode=755",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                  MOUNT_FATAL },
-                { "mqueue",          "/dev/mqueue",     "mqueue", NULL,       0,
-                  MOUNT_FATAL },

 #if HAVE_SELINUX
                { "/sys/fs/selinux", "/sys/fs/selinux", NULL,    NULL,        MS_BIND,