cgfsng: two fixes for cgroup-full

We need to pass nosuid+nexec+nodev to remount to stop the kernel from denying it. When remounting the container's path read-write, use the right dest path. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

cgfsng: two fixes for cgroup-full
5b6f9369 · Serge Hallyn · 3e32591c · 5b6f9369
Commit 5b6f9369 authored Mar 16, 2016 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

cgfsng.c src/lxc/cgfsng.c +4 -2

No files found.
--- a/src/lxc/cgfsng.c
+++ b/src/lxc/cgfsng.c
@@ -1238,7 +1238,9 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,
 		return -1;
 	}
 	if (type != LXC_AUTO_CGROUP_FULL_RW) {
-		if (mount(NULL, dest, "cgroup", MS_BIND | MS_REMOUNT | MS_RDONLY, NULL) < 0) {
+		unsigned long flags = MS_BIND | MS_NOSUID | MS_NOEXEC | MS_NODEV |
+				      MS_REMOUNT | MS_RDONLY;
+		if (mount(NULL, dest, "cgroup", flags, NULL) < 0) {
 			SYSERROR("Error remounting %s readonly", dest);
 			return -1;
 		}
@@ -1250,7 +1252,7 @@ static int mount_cgroup_full(int type, struct hierarchy *h, char *dest,

 	/* mount just the container path rw */
 	char *source = must_make_path(h->mountpoint, h->base_cgroup, container_cgroup, NULL);
-	char *rwpath = must_make_path(dest, container_cgroup, NULL);
+	char *rwpath = must_make_path(dest, h->base_cgroup, container_cgroup, NULL);
 	if (mount(source, rwpath, "cgroup", MS_BIND, NULL) < 0)
 		WARN("Failed to mount %s read-write: %m", rwpath);
 	INFO("Made %s read-write", rwpath);