picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

nspawn: Don't mount read-only if we have a custom mount on root.

Browse source
This commit is contained in:
Daan De Meyer 2019-12-23 11:50:02 +01:00
parent 12da859a3f
commit bbd407ea2b
3 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/nspawn/nspawn-mount.c
View file

@ -989,6 +989,19 @@ int mount_custom(
return 0;
}
bool has_custom_root_mount(const CustomMount *mounts, size_t n) {
size_t i;
for (i = 0; i < n; i++) {
const CustomMount *m = mounts + i;
if (path_equal(m->destination, "/"))
return true;
}
return false;
}
static int setup_volatile_state(const char *directory, uid_t uid_shift, const char *selinux_apifs_context) {
_cleanup_free_ char *buf = NULL;

1
src/nspawn/nspawn-mount.h
View file

@ -55,6 +55,7 @@ int mount_all(const char *dest, MountSettingsMask mount_settings, uid_t uid_shif
int mount_sysfs(const char *dest, MountSettingsMask mount_settings);
int mount_custom(const char *dest, CustomMount *mounts, size_t n, uid_t uid_shift, const char *selinux_apifs_context, MountSettingsMask mount_settings);
bool has_custom_root_mount(const CustomMount *mounts, size_t n);
int setup_volatile_mode(const char *directory, VolatileMode mode, uid_t uid_shift, const char *selinux_apifs_context);

3
src/nspawn/nspawn.c
View file

@ -3438,7 +3438,8 @@ static int outer_child(
if (r < 0)
return r;
if (arg_read_only && arg_volatile_mode == VOLATILE_NO) {
if (arg_read_only && arg_volatile_mode == VOLATILE_NO &&
!has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts)) {
r = bind_remount_recursive(directory, MS_RDONLY, MS_RDONLY, NULL);
if (r < 0)
return log_error_errno(r, "Failed to make tree read-only: %m");