nspawn: mount os-release in two steps to make it read-only

The kernel interface requires setting up read-only bind-mounts in two steps, the bind first and then a read-only remount. Fix nspawn-mount, and cover this case in the integration test. Fixes #16484
2020-07-16 09:47:16 +01:00 · 2020-07-16 09:47:16 +01:00 · 14f1c47a0c
parent eafc7d6056
commit 14f1c47a0c
2 changed files with 9 additions and 3 deletions
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@ -563,10 +563,14 @@ int mount_all(const char *dest,
                  MOUNT_FATAL|MOUNT_MKDIR },
                { "tmpfs",                  "/run",                         "tmpfs", "mode=755" TMPFS_LIMITS_RUN,      MS_NOSUID|MS_NODEV|MS_STRICTATIME,
                  MOUNT_FATAL|MOUNT_MKDIR },
-                { "/usr/lib/os-release",    "/run/host/usr/lib/os-release", NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
-                  MOUNT_FATAL|MOUNT_MKDIR|MOUNT_TOUCH },
-                { "/etc/os-release",        "/run/host/etc/os-release",     NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
+                { "/usr/lib/os-release",    "/run/host/usr/lib/os-release", NULL,    NULL,                             MS_BIND,
+                  MOUNT_FATAL|MOUNT_MKDIR|MOUNT_TOUCH }, /* As per kernel interface requirements, bind mount first (creating mount points) and make read-only later */
+                { NULL,                     "/run/host/usr/lib/os-release", NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+                  0 },
+                { "/etc/os-release",        "/run/host/etc/os-release",     NULL,    NULL,                             MS_BIND,
                  MOUNT_MKDIR|MOUNT_TOUCH },
+                { NULL,                     "/run/host/etc/os-release",     NULL,    NULL,                             MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
+                  0 },

 #if HAVE_SELINUX
                { "/sys/fs/selinux",        "/sys/fs/selinux",              NULL,    NULL,                             MS_BIND,
--- a/test/units/testsuite-13.sh
+++ b/test/units/testsuite-13.sh
@ -67,6 +67,8 @@ if [ -n "${VERSION_ID:+set}" ] && [ "${VERSION_ID}" != "${container_host_version
 if [ -n "${BUILD_ID:+set}" ] && [ "${BUILD_ID}" != "${container_host_build_id}" ]; then exit 1; fi
 if [ -n "${VARIANT_ID:+set}" ] && [ "${VARIANT_ID}" != "${container_host_variant_id}" ]; then exit 1; fi
 cd /tmp; (cd /run/host/usr/lib; md5sum os-release) | md5sum -c
+if echo test >> /run/host/usr/lib/os-release; then exit 1; fi
+if echo test >> /run/host/etc/os-release; then exit 1; fi
 '

    systemd-nspawn --register=no -D /testsuite-13.nc-container --bind=/etc/os-release:/tmp/os-release /bin/sh -x -e -c "$_cmd"