From 05c4514e22e7789b66c913d7d34b4fbaf30f3f6c Mon Sep 17 00:00:00 2001
From: Felix Obenhuber <felix.obenhuber@esrlabs.com>
Date: Thu, 19 Oct 2023 13:48:00 +0200
Subject: [PATCH] Mount container root nosuid

---
 northstar-runtime/src/runtime/mount.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/northstar-runtime/src/runtime/mount.rs b/northstar-runtime/src/runtime/mount.rs
index 869609475..7bb1bd602 100644
--- a/northstar-runtime/src/runtime/mount.rs
+++ b/northstar-runtime/src/runtime/mount.rs
@@ -267,7 +267,7 @@ fn mount(
         device.display(),
         target.display(),
     );
-    const FLAGS: MountFlags = MountFlags::MS_RDONLY;
+    let flags = MountFlags::MS_RDONLY | MountFlags::MS_NOSUID;
     const FSTYPE: Option<&str> = Some(FS_TYPE);
     let source = Some(&device);
     let data = selinux
@@ -275,7 +275,7 @@ fn mount(
         .and(selinux_context)
         .map(|context| format!("context={}", context.as_str()));
     let data = data.as_deref();
-    let mount_result = nix::mount::mount(source, target, FSTYPE, FLAGS, data);
+    let mount_result = nix::mount::mount(source, target, FSTYPE, flags, data);
 
     if let Err(ref e) = mount_result {
         warn!("Failed to mount: {}", e);