From e72beada8aefebe96b17c74d5c0c438d897a433d Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Fri, 15 May 2015 17:44:20 +0200 Subject: [PATCH] helper: Bind mount /sys subset Instead of mounting our own sysfs instance we bind mount in only a subset of the /sys subdirectories from the host. This has several advantages: * If something was covered out in the host we will shadow that (i.e. the app will never see more of sysfs than non xdg-apps) * We can avoid showing some weird parts of sysfs, focusing on the device descriptions needed for e.g. mesa * Bind mounts are allowed in a non-root user-namespace, whereas the sysfs mount is not, taking us one step closer to that. --- xdg-app-helper.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/xdg-app-helper.c b/xdg-app-helper.c index b6fb98e6..4f333765 100644 --- a/xdg-app-helper.c +++ b/xdg-app-helper.c @@ -423,7 +423,16 @@ static const create_table_t create[] = { { FILE_TYPE_BIND_RO, "proc/irq", 0755, "proc/irq"}, { FILE_TYPE_BIND_RO, "proc/bus", 0755, "proc/bus"}, { FILE_TYPE_DIR, "sys", 0755}, - { FILE_TYPE_MOUNT, "sys"}, + { FILE_TYPE_DIR, "sys/block", 0755}, + { FILE_TYPE_BIND_RO, "sys/block", 0755, "/sys/block"}, + { FILE_TYPE_DIR, "sys/bus", 0755}, + { FILE_TYPE_BIND_RO, "sys/bus", 0755, "/sys/bus"}, + { FILE_TYPE_DIR, "sys/class", 0755}, + { FILE_TYPE_BIND_RO, "sys/class", 0755, "/sys/class"}, + { FILE_TYPE_DIR, "sys/dev", 0755}, + { FILE_TYPE_BIND_RO, "sys/dev", 0755, "/sys/dev"}, + { FILE_TYPE_DIR, "sys/devices", 0755}, + { FILE_TYPE_BIND_RO, "sys/devices", 0755, "/sys/devices"}, { FILE_TYPE_DIR, "dev", 0755}, { FILE_TYPE_MOUNT, "dev"}, { FILE_TYPE_DIR, "dev/pts", 0755}, @@ -453,7 +462,6 @@ static const create_table_t create_post[] = { static const mount_table_t mount_table[] = { { "proc", "proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV }, - { "sysfs", "sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV }, { "tmpfs", "dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME }, { "devpts", "dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=5", MS_NOSUID|MS_NOEXEC }, { "tmpfs", "dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME },