mnt: added nosuid/nodev/noexec flags to config

Closes google#70

config.cc

@@ -210,6 +210,9 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
 
 		uintptr_t flags = (!njc.mount(i).rw()) ? MS_RDONLY : 0;
 		flags |= njc.mount(i).is_bind() ? (MS_BIND | MS_REC | MS_PRIVATE) : 0;
+		flags |= njc.mount(i).nosuid() ? MS_NOSUID : 0;
+		flags |= njc.mount(i).nodev() ? MS_NODEV : 0;
+		flags |= njc.mount(i).noexec() ? MS_NOEXEC : 0;
 		bool is_mandatory = njc.mount(i).mandatory();
 		bool is_symlink = njc.mount(i).is_symlink();
 		std::string src_content = njc.mount(i).src_content();

config.proto

@@ -51,6 +51,12 @@ message MountPt {
     optional bool mandatory = 11 [default = true];
     /* Is it a symlink (instead of real mount point)? */
     optional bool is_symlink = 12 [default = false];
+    /* Is it a nosuid mount */
+    optional bool nosuid = 13 [default = false];
+    /* Is it a nodev mount */
+    optional bool nodev = 14 [default = false];
+    /* Is it a noexec mount */
+    optional bool noexec = 15 [default = false];
 }
 enum RLimit {
     VALUE = 0; /* Use the provided value */

mnt.cc

@@ -248,7 +248,10 @@ static bool remount(const mount_t& mpt) {
 	    {MS_RELATIME, ST_RELATIME},
 	};
 
-	unsigned long new_flags = MS_REMOUNT | MS_BIND | (mpt.flags & MS_RDONLY);
+	const unsigned long per_mountpoint_flags =
+	    MS_LAZYTIME | MS_MANDLOCK | MS_NOATIME | MS_NODEV | MS_NODIRATIME | MS_NOEXEC |
+	    MS_NOSUID | MS_RELATIME | MS_RDONLY | MS_SYNCHRONOUS;
+	unsigned long new_flags = MS_REMOUNT | MS_BIND | (mpt.flags & per_mountpoint_flags);
 	for (const auto& i : mountPairs) {
 		if (vfs.f_flag & i.vfs_flag) {
 			new_flags |= i.mount_flag;