793088ed0a
If a container is read-only, also set /proc, /sys, & /dev to read-only. This should apply to both privileged and unprivileged containers. Note that when /dev is read-only, device files may still be written to. This change will simply prevent the device paths from being modified, or performing mknod of new devices within the /dev path. Tests are included for all cases. Also adds a test to ensure that /dev/pts is always mounted read/write, even in the case of a read-write rootfs. The kernel restricts writes here naturally and bad things will happen if we mount it ro. Signed-off-by: Eric Windisch <eric@windisch.us> Upstream-commit: 5400d8873f730e6099d29af49fe45931665c3b49 Component: engine