diff options
author | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-07-16 09:47:16 +0100 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-07-16 09:59:59 +0100 |
commit | 14f1c47a0cd0c9ad9c30e2354a0fdba26417ccf0 (patch) | |
tree | a4e752f18e185e73d8dcf2be1032feb79cd271ff /src/nspawn/nspawn-mount.c | |
parent | eafc7d60569064f30663a93463b7c5df5768bac6 (diff) | |
download | systemd-14f1c47a0cd0c9ad9c30e2354a0fdba26417ccf0.tar.gz |
nspawn: mount os-release in two steps to make it read-only
The kernel interface requires setting up read-only bind-mounts in
two steps, the bind first and then a read-only remount.
Fix nspawn-mount, and cover this case in the integration test.
Fixes #16484
Diffstat (limited to 'src/nspawn/nspawn-mount.c')
-rw-r--r-- | src/nspawn/nspawn-mount.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index ea250af0d7..4687ac4c18 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -563,10 +563,14 @@ int mount_all(const char *dest, MOUNT_FATAL|MOUNT_MKDIR }, { "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME, MOUNT_FATAL|MOUNT_MKDIR }, - { "/usr/lib/os-release", "/run/host/usr/lib/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, - MOUNT_FATAL|MOUNT_MKDIR|MOUNT_TOUCH }, - { "/etc/os-release", "/run/host/etc/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, + { "/usr/lib/os-release", "/run/host/usr/lib/os-release", NULL, NULL, MS_BIND, + MOUNT_FATAL|MOUNT_MKDIR|MOUNT_TOUCH }, /* As per kernel interface requirements, bind mount first (creating mount points) and make read-only later */ + { NULL, "/run/host/usr/lib/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, + 0 }, + { "/etc/os-release", "/run/host/etc/os-release", NULL, NULL, MS_BIND, MOUNT_MKDIR|MOUNT_TOUCH }, + { NULL, "/run/host/etc/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, + 0 }, #if HAVE_SELINUX { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, |