Skip to content

Commit

Permalink
fix: cgroup delegate
Browse files Browse the repository at this point in the history 
Fix mount option nsdelegate.
It makes delegation safe (more restrictions in the cgroup namespace).

Signed-off-by: Serge Logvinov <serge.logvinov@sinextra.dev>
  • Loading branch information
@sergelogvinov @smira
sergelogvinov authored and smira committed Aug 23, 2021
1 parent 751f64f commit e24b93b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion internal/pkg/mount/cgroups.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (
// CGroupMountPoints returns the cgroup mount points.
func CGroupMountPoints() (mountpoints *Points, err error) {
cgroups := NewMountPoints()
cgroups.Set("cgroup2", NewMountPoint("cgroup", constants.CgroupMountPath, "cgroup2", unix.MS_NOSUID|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_RELATIME, "nsdelegate,memory_recursiveprot"))
cgroups.Set("cgroup2", NewMountPoint("cgroup", constants.CgroupMountPath, "cgroup2", unix.MS_NOSUID|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_RELATIME, "nsdelegate"))

return cgroups, nil
}

0 comments on commit e24b93b

Please sign in to comment.