Merge pull request #12105 from poettering/api-vfs-mount-flags

some API VFS mount flag tweaks

src/nspawn/nspawn-mount.c

@@ -580,6 +580,9 @@ int mount_all(const char *dest,
                 PROC_READ_ONLY("/proc/irq"),
                 PROC_READ_ONLY("/proc/scsi"),
 
+                { "mqueue",          "/dev/mqueue",     "mqueue", NULL,       MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                  MOUNT_IN_USERNS },
+
                 /* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
                 { "tmpfs",           "/tmp",            "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                   MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP },
@@ -595,8 +598,6 @@ int mount_all(const char *dest,
                   MOUNT_FATAL },
                 { "tmpfs",           "/run",            "tmpfs", "mode=755",  MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                   MOUNT_FATAL },
-                { "mqueue",          "/dev/mqueue",     "mqueue", NULL,       0,
-                  MOUNT_FATAL },
 
 #if HAVE_SELINUX
                 { "/sys/fs/selinux", "/sys/fs/selinux", NULL,    NULL,        MS_BIND,

units/dev-mqueue.mount

@@ -20,3 +20,4 @@ ConditionCapability=CAP_SYS_ADMIN
 What=mqueue
 Where=/dev/mqueue
 Type=mqueue
+Options=nosuid,nodev,noexec

units/proc-sys-fs-binfmt_misc.mount

@@ -17,3 +17,4 @@ DefaultDependencies=no
 What=binfmt_misc
 Where=/proc/sys/fs/binfmt_misc
 Type=binfmt_misc
+Options=nosuid,nodev,noexec

units/sys-fs-fuse-connections.mount

@@ -22,3 +22,4 @@ Before=sysinit.target
 What=fusectl
 Where=/sys/fs/fuse/connections
 Type=fusectl
+Options=nosuid,nodev,noexec

units/sys-kernel-config.mount

@@ -21,3 +21,4 @@ Before=sysinit.target
 What=configfs
 Where=/sys/kernel/config
 Type=configfs
+Options=nosuid,nodev,noexec

units/sys-kernel-debug.mount

@@ -20,3 +20,4 @@ Before=sysinit.target
 What=debugfs
 Where=/sys/kernel/debug
 Type=debugfs
+Options=nosuid,nodev,noexec