oracle template: restrict writeability in /proc and /sys

Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

oracle template: restrict writeability in /proc and /sys
33662399 · Dwight Engen · Stéphane Graber · 8f47bc3f · 33662399
Commit 33662399 authored Oct 23, 2013 by Dwight Engen Committed by Stéphane Graber Oct 23, 2013
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 6 deletions

lxc-oracle.in templates/lxc-oracle.in +1 -6

No files found.
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -350,7 +350,7 @@ lxc.utsname = $name
 lxc.devttydir = lxc
 lxc.tty = 4
 lxc.pts = 1024
-lxc.mount = $cfg_dir/fstab
+lxc.mount.auto = proc:mixed sys:ro
 lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname
 # Uncomment these if you don't run anything that needs the capability, and
 # would like the container to run with less privilege.
@@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
 lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
 lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master
 EOF
-    cat <<EOF > $cfg_dir/fstab || die "unable to create $cfg_dir/fstab"
-proc    proc     proc   nodev,noexec,nosuid 0 0
-sysfs   sys      sysfs  defaults  0 0
-EOF
 }
 container_rootfs_clone()