On Wed, Mar 4, 2015 at 3:14 AM, Alexander Larsson <[email protected]> wrote: > On tis, 2015-03-03 at 09:34 -0800, Andy Lutomirski wrote: >> On Mon, Mar 2, 2015 at 11:59 PM, Alexander Larsson <[email protected]> wrote: >> >> > Also, I'd like to make all the recursively bound subtrees readonly. Is >> > there a better way to do this than enumerating all mounts and remounting >> > all that are under /sys. >> > >> > In fact this is a general problem i have with recursive bind mounts. If >> > I want to grant access to some directory with limited access (for >> > example read-only or nosuid) then I have to use a recursive bind mount, >> > but the remount is not recursive, and furthermore, it does not apply to >> > later mounts that get propagated into my namespace. >> > >> >> Oh, yuck. >> >> We should finally just make readonly bind mounts work in the first >> place. You can partially mitigate this my remounting private before >> you remount ro, though. > > I generally run in slave mode, which is what I want here. Either I'm in > hard containment mode, and something like /mnt will not even mounted in > the container, or I'm allowing some form of access to the system/user > files. If this contains e.g. /mnt then I definitely *do* want to get new > mounts (say if the user inserted a usb stick). >
Fair enough. Eric, I don't understand the mount propagation code at all. Could there be "propagate read-only" mode? (Presumably along with nodev, nosuid, and noexec.) --Andy > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Alexander Larsson Red Hat, Inc > [email protected] [email protected] > He's an uncontrollable drug-addicted boxer who knows the secret of the > alien invasion. She's a cosmopolitan renegade mechanic from the wrong > side of the tracks. They fight crime! > -- Andy Lutomirski AMA Capital Management, LLC _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
