proc: mount proc with minimal permissions

Eric wants to restrict permissions for proc mounts in a non-root userns
according with proc mounts in the root userns.

Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri May 8 23:49:47 2015 -0500

    mnt: Modify fs_fully_visible to deal with locked ro nodev and atime

    Ignore an existing mount if the locked readonly, nodev or atime
    attributes are less permissive than the desired attributes
    of the new mount.
...
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

cr-restore.c

@@ -1364,7 +1364,7 @@ static int mount_proc(void)
 	}
 
 	pr_info("Mount procfs in %s\n", proc_mountpoint);
-	if (mount("proc", proc_mountpoint, "proc", MS_MGC_VAL, NULL)) {
+	if (mount("proc", proc_mountpoint, "proc", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL)) {
 		pr_perror("mount failed");
 		rmdir(proc_mountpoint);
 		return -1;

test/zdtm/lib/ns.c

@@ -87,7 +87,7 @@ static int prepare_mntns()
 		 * if they are already mounted when the user namespace is created.
 		 * So ./old must be umounted after mounting /proc and /sys.
 		 */
-		if (mount("proc", "/proc", "proc", MS_MGC_VAL, NULL)) {
+		if (mount("proc", "/proc", "proc", MS_MGC_VAL | MS_NOSUID | MS_NOEXEC | MS_NODEV, NULL)) {
 			fprintf(stderr, "mount(/proc) failed: %m\n");
 			return -1;
 		}