5fbc4bbbdd
a) In the linux namespace mount case an additional MS_NOATIME, etc. will result in EPERM on remounting something hosted in a toplevel [rel]atime mount. man 2 mount has 'An attempt was made to modify (MS_REMOUNT) the MS_RDONLY, MS_NOSUID, or MS_NOEXEC flag, or one of the "atime" flags (MS_NOATIME, MS_NODIRATIME, MS_RELATIME) of an existing mount, but the mount is locked'. b) lxc has default apparmor rules of https://github.com/lxc/lxc/blob/main/config/apparmor/abstractions/container-base where the closest match is: "mount options=(ro,remount,bind,nodev,nosuid)" so additional 'MS_SILENT' or 'MS_REC' flags similarly also cause the remount to be denied So if we use a more recognized set of options we work out of the box in the default lxc configuration. Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com> Change-Id: I5f8de2de998ae1a85fefc1c9537b79b2b3bdefec
37 lines
1 KiB
C++
37 lines
1 KiB
C++
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4; fill-column: 100 -*- */
|
|
/*
|
|
* Copyright the Collabora Online contributors.
|
|
*
|
|
* SPDX-License-Identifier: MPL-2.0
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
*/
|
|
/*
|
|
* This is a very tiny helper to allow overlay mounting.
|
|
*/
|
|
|
|
#include <config.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <sysexits.h>
|
|
|
|
#include <security.h>
|
|
|
|
extern int domount(int argc, const char* const* argv);
|
|
|
|
int main(int argc, char** argv)
|
|
{
|
|
/*WARNING: PRIVILEGED CODE CHECKING START */
|
|
/*WARNING*/ if (!hasCorrectUID(/* appName = */ "coolmount"))
|
|
/*WARNING*/ {
|
|
/*WARNING*/ fprintf(stderr, "Aborting.\n");
|
|
/*WARNING*/ return EX_SOFTWARE;
|
|
/*WARNING*/ }
|
|
/*WARNING: PRIVILEGED CODE CHECKING END */
|
|
|
|
return domount(argc, argv);
|
|
}
|
|
|
|
/* vim:set shiftwidth=4 softtabstop=4 expandtab: */
|