mount procfs readonly to prevent breakout

2025-08-22 07:55:39 +00:00 · 2024-11-04 11:32:51 +09:00
parent 8346a7165f
commit c442169036
2 changed files with 2 additions and 1 deletions
--- a/src/bin/izoli.rs
+++ b/src/bin/izoli.rs
@ -42,6 +42,7 @@ fn main() {
                Mount::new("/lib64", "/lib64", true, false),
                Mount::new("/usr/lib", "/usr/lib", true, false),
                Mount::new("/usr/lib64", "/usr/lib64", true, false),
+                Mount::new("/etc", "/etc", true, true),
            ],
        },
    );
--- a/src/izolibox.rs
+++ b/src/izolibox.rs
@ -112,7 +112,7 @@ impl IzoliBox {

        let mounts = [
            ("tmp", Some("tmpfs"), MsFlags::empty()),
-            ("proc", Some("proc"), MsFlags::empty()),
+            ("proc", Some("proc"), MsFlags::MS_RDONLY),
        ];

        for (target, source, flags) in mounts.iter() {