1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Author: Daniel Baumann <daniel.baumann@progress-linux.org>
Description: Mounting /proc with hidepid=2 option.
diff -Naurp systemd.orig/src/core/mount-setup.c systemd/src/core/mount-setup.c
--- systemd.orig/src/core/mount-setup.c
+++ systemd/src/core/mount-setup.c
@@ -61,7 +61,7 @@ typedef struct MountPoint {
static const MountPoint mount_table[] = {
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
- { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ { "proc", "/proc", "proc", "hidepid=2", MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "devtmpfs", "/dev", "devtmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
diff -Naurp systemd.orig/src/nspawn/nspawn-mount.c systemd/src/nspawn/nspawn-mount.c
--- systemd.orig/src/nspawn/nspawn-mount.c
+++ systemd/src/nspawn/nspawn-mount.c
@@ -512,7 +512,7 @@ int mount_all(const char *dest,
static const MountPoint mount_table[] = {
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
- { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ { "proc", "/proc", "proc", "hidepid=2", MS_NOSUID|MS_NOEXEC|MS_NODEV,
MOUNT_FATAL|MOUNT_IN_USERNS },
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
|
