debian/patches/progress-linux/0002-proc-hidepid.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

Author: Daniel Baumann <daniel.baumann@progress-linux.org>
Description: Mounting /proc with hidepid=2 option.

diff -Naurp systemd.orig/src/nspawn/nspawn-mount.c systemd/src/nspawn/nspawn-mount.c
--- systemd.orig/src/nspawn/nspawn-mount.c
+++ systemd/src/nspawn/nspawn-mount.c
@@ -513,7 +513,7 @@ int mount_all(const char *dest,
 
         static const MountPoint mount_table[] = {
                 /* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
-                { "proc",            "/proc",           "proc",  NULL,        MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "proc",            "/proc",           "proc",  "hidepid=2", MS_NOSUID|MS_NOEXEC|MS_NODEV,
                   MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_MKDIR|MOUNT_FOLLOW_SYMLINKS }, /* we follow symlinks here since not following them requires /proc/ already being mounted, which we don't have here. */
 
                 { "/proc/sys",       "/proc/sys",       NULL,    NULL,        MS_BIND,
diff -Naurp systemd.orig/src/shared/mount-setup.c systemd/src/shared/mount-setup.c
--- systemd.orig/src/shared/mount-setup.c
+++ systemd/src/shared/mount-setup.c
@@ -62,7 +62,7 @@ typedef struct MountPoint {
 #endif
 
 static const MountPoint mount_table[] = {
-        { "proc",        "/proc",                     "proc",       NULL,                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
+        { "proc",        "/proc",                     "proc",       "hidepid=2",                               MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER|MNT_FOLLOW_SYMLINK },
         { "sysfs",       "/sys",                      "sysfs",      NULL,                                      MS_NOSUID|MS_NOEXEC|MS_NODEV,
           NULL,          MNT_FATAL|MNT_IN_CONTAINER },