From 511fd97b5355dd51632f48cf2354eeb7e6aa6260 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Sun, 12 Apr 2020 21:12:20 +0100
Subject: [PATCH] jail: make /proc more secure

Make sure /proc/sys is read-only while keeping read-write access to
/proc/sys/net if spawning a new network namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/jail.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/jail/jail.c b/jail/jail.c
index fa8da01..25b847d 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -286,6 +286,19 @@ static int build_jail_fs(void)
 	if (opts.procfs) {
 		mkdir("/proc", 0755);
 		mount("proc", "/proc", "proc", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
+		/*
+		 * make /proc/sys read-only while keeping read-write to
+		 * /proc/sys/net if CLONE_NEWNET is set.
+		 */
+		if (opts.namespace & CLONE_NEWNET)
+			mount("/proc/sys/net", "/proc/self/net", NULL, MS_BIND, 0);
+
+		mount("/proc/sys", "/proc/sys", NULL, MS_BIND, 0);
+		mount(NULL, "/proc/sys", NULL, MS_REMOUNT | MS_RDONLY, 0);
+		mount(NULL, "/proc", NULL, MS_REMOUNT, 0);
+
+		if (opts.namespace & CLONE_NEWNET)
+			mount("/proc/self/net", "/proc/sys/net", NULL, MS_MOVE, 0);
 	}
 	if (opts.sysfs) {
 		mkdir("/sys", 0755);
-- 
2.25.1