loop-util: open lock fd read-only

flock(2) works with file descriptors opened with O_RDONLY.

This affects SELinux systems where access to block devices is quite
restricted to avoid bypasses on filesystem objects.

diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
index 731ce291121edfd01f9071b06bd9958f06084644..fb7e80b1b5c0c2c9a7f08a01bb82322531812f67 100644 (file)
--- a/src/shared/loop-util.c
+++ b/src/shared/loop-util.c
@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) {
         assert(primary_fd >= 0);
         assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX));
 
-        lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+        lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
         if (lock_fd < 0)
                 return lock_fd;