jail: mount /sys read-only

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index 25b847d92a9ad093f38da0bb6c9b73a48524406f..052a78e59ccc2be40f632fe7fa1a9e399f88ccc7 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -302,7 +302,7 @@ static int build_jail_fs(void)
        }
        if (opts.sysfs) {
                mkdir("/sys", 0755);
-               mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID, 0);
+               mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0);
        }
        if (opts.ronly)
                mount(NULL, "/", NULL, MS_RDONLY | MS_REMOUNT, 0);