jail: make /proc more secure

Make sure /proc/sys is read-only while keeping read-write access to
/proc/sys/net if spawning a new network namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index fa8da01435419aac2397b7d8dd19c0a3b41d2dee..25b847d92a9ad093f38da0bb6c9b73a48524406f 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -286,6 +286,19 @@ static int build_jail_fs(void)
        if (opts.procfs) {
                mkdir("/proc", 0755);
                mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
+               /*
+                * make /proc/sys read-only while keeping read-write to
+                * /proc/sys/net if CLONE_NEWNET is set.
+                */
+               if (opts.namespace & CLONE_NEWNET)
+                       mount("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0);
+
+               mount("/proc/sys", "/proc/sys", NULL, MS_BIND, 0);
+               mount(NULL, "/proc/sys", NULL, MS_REMOUNT | MS_RDONLY, 0);
+               mount(NULL, "/proc", NULL, MS_REMOUNT, 0);
+
+               if (opts.namespace & CLONE_NEWNET)
+                       mount("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0);
        }
        if (opts.sysfs) {
                mkdir("/sys", 0755);