1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Author: Daniel Baumann <daniel.baumann@progress-linux.org>
Description: Mounting /proc with hidepid=2 option.
diff -Naurp systemd.orig/src/nspawn/nspawn-mount.c systemd/src/nspawn/nspawn-mount.c
--- systemd.orig/src/nspawn/nspawn-mount.c
+++ systemd/src/nspawn/nspawn-mount.c
@@ -542,7 +542,7 @@ int mount_all(const char *dest,
static const MountPoint mount_table[] = {
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
- { "proc", "/proc", "proc", NULL, PROC_DEFAULT_MOUNT_FLAGS,
+ { "proc", "/proc", "proc", "hidepid=2", PROC_DEFAULT_MOUNT_FLAGS,
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_MKDIR|MOUNT_FOLLOW_SYMLINKS }, /* we follow symlinks here since not following them requires /proc/ already being mounted, which we don't have here. */
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
diff -Naurp systemd.orig/src/shared/mount-setup.c systemd/src/shared/mount-setup.c
--- systemd.orig/src/shared/mount-setup.c
+++ systemd/src/shared/mount-setup.c
@@ -77,7 +77,7 @@ static bool check_recursiveprot_supporte
}
static const MountPoint mount_table[] = {
- { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
+ { "proc", "/proc", "proc", "hidepid=2", MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK },
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
|
