add nosuid/nodev/noexec settings to the /tmp mount No daemon should be using this space for those things in the first place. Bug: None Test: `minijail0 -vt -- /bin/mount` shows /tmp using no* options Change-Id: I5105243329c74fecc5082b8580958f1949d98c9b

commit: b91d404ee6115dc130b0101b38d875be17c88efb [log] [tgz]
author: Mike Frysinger <vapier@google.com> Fri Jan 13 19:03:34 2017 -0500
committer: Treehugger Robot <treehugger-gerrit@google.com> Fri Jan 20 07:54:39 2017 +0000
tree: 8df5dc52b34b03d4f049d2b335624bf15edfa669
parent: 404d2bb02680f9f433dbe9c71f87bf1f003bf495 [diff] [blame]
diff --git a/libminijail.c b/libminijail.c
index c0fd59e..aa789cd 100644
--- a/libminijail.c
+++ b/libminijail.c

@@ -1238,7 +1238,8 @@
 
 static int mount_tmp(void)
 {
-	return mount("none", "/tmp", "tmpfs", 0, "size=64M,mode=1777");
+	return mount("none", "/tmp", "tmpfs", MS_NODEV | MS_NOEXEC | MS_NOSUID,
+	             "size=64M,mode=1777");
 }
 
 static int remount_proc_readonly(const struct minijail *j)
commit	b91d404ee6115dc130b0101b38d875be17c88efb	[log] [tgz]
author	Mike Frysinger <vapier@google.com>	Fri Jan 13 19:03:34 2017 -0500
committer	Treehugger Robot <treehugger-gerrit@google.com>	Fri Jan 20 07:54:39 2017 +0000
tree	8df5dc52b34b03d4f049d2b335624bf15edfa669
parent	404d2bb02680f9f433dbe9c71f87bf1f003bf495 [diff] [blame]