core: remount /sys/fs/cgroup/ read-only after we mounted all controllers

Given that glibc searches for /dev/shm by just looking for any tmpfs we should be more careful with providing tmpfs instances arbitrary code might end up writing to.
2014-03-18 04:06:54 +01:00 · 2014-03-18 04:06:54 +01:00 · 679142ce4a
parent a641dcd9bf
commit 679142ce4a
1 changed files with 4 additions and 0 deletions
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -338,6 +338,10 @@ int mount_cgroup_controllers(char ***join_controllers) {
                }
        }

+        /* Now that we mounted everything, let's make the tmpfs the
+         * cgroup file systems are mounted into read-only. */
+        mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755");
+
        return 0;
 }