From c442169036098aa8a12cdfb4307a6aefd3e53edf Mon Sep 17 00:00:00 2001
From: mii <mii@sfc.wide.ad.jp>
Date: Mon, 4 Nov 2024 11:32:51 +0900
Subject: [PATCH] mount procfs readonly to prevent breakout

---
 src/bin/izoli.rs | 1 +
 src/izolibox.rs  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/bin/izoli.rs b/src/bin/izoli.rs
index f4ad06f..d1c723f 100644
--- a/src/bin/izoli.rs
+++ b/src/bin/izoli.rs
@@ -42,6 +42,7 @@ fn main() {
                 Mount::new("/lib64", "/lib64", true, false),
                 Mount::new("/usr/lib", "/usr/lib", true, false),
                 Mount::new("/usr/lib64", "/usr/lib64", true, false),
+                Mount::new("/etc", "/etc", true, true),
             ],
         },
     );
diff --git a/src/izolibox.rs b/src/izolibox.rs
index 24b3873..b7c3615 100644
--- a/src/izolibox.rs
+++ b/src/izolibox.rs
@@ -112,7 +112,7 @@ impl IzoliBox {
 
         let mounts = [
             ("tmp", Some("tmpfs"), MsFlags::empty()),
-            ("proc", Some("proc"), MsFlags::empty()),
+            ("proc", Some("proc"), MsFlags::MS_RDONLY),
         ];
 
         for (target, source, flags) in mounts.iter() {