]> git.ipfire.org Git - people/ms/ipfire-2.x.git/commitdiff
projects / people / ms / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 80e4ca1)
make.sh: Create all bind-mounts as read-only where possible
authorMichael Tremer <michael.tremer@ipfire.org>
Fri, 5 Jul 2024 08:21:10 +0000 (08:21 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 8 Jul 2024 15:39:43 +0000 (15:39 +0000)
This way, the build environment can no longer modify any source any
more. This was not a huge integrity problem before as Git would have
shown differences, but it might cause damage to the build system which
need to manually be recovered.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
make.sh patch | blob | blame | history

diff --git a/make.sh b/make.sh
index e58788b5b19638f289b6c36c4cde009893b60df3..e2119ef2f1c09ff40e4f6f6cb4748aa9352373ab 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -480,15 +480,15 @@ prepareenv() {
                -t tmpfs -o "nosuid,nodev,strictatime,size=4G,nr_inodes=1M,mode=1777"
 
        # Make all sources and proc available under lfs build
-       mount --bind /sys                                       "${BUILD_DIR}/sys"
-       mount --bind "${BASEDIR}/cache"         "${BUILD_DIR}/usr/src/cache"
-       mount --bind "${BASEDIR}/config"        "${BUILD_DIR}/usr/src/config"
-       mount --bind "${BASEDIR}/doc"           "${BUILD_DIR}/usr/src/doc"
-       mount --bind "${BASEDIR}/html"          "${BUILD_DIR}/usr/src/html"
-       mount --bind "${BASEDIR}/langs"         "${BUILD_DIR}/usr/src/langs"
-       mount --bind "${BASEDIR}/lfs"           "${BUILD_DIR}/usr/src/lfs"
-       mount --bind "${BASEDIR}/log"           "${BUILD_DIR}/usr/src/log"
-       mount --bind "${BASEDIR}/src"           "${BUILD_DIR}/usr/src/src"
+       mount --bind            /sys                                    "${BUILD_DIR}/sys"
+       mount --bind -o ro      "${BASEDIR}/cache"              "${BUILD_DIR}/usr/src/cache"
+       mount --bind -o ro      "${BASEDIR}/config"             "${BUILD_DIR}/usr/src/config"
+       mount --bind -o ro      "${BASEDIR}/doc"                "${BUILD_DIR}/usr/src/doc"
+       mount --bind -o ro      "${BASEDIR}/html"               "${BUILD_DIR}/usr/src/html"
+       mount --bind -o ro      "${BASEDIR}/langs"              "${BUILD_DIR}/usr/src/langs"
+       mount --bind -o ro      "${BASEDIR}/lfs"                "${BUILD_DIR}/usr/src/lfs"
+       mount --bind            "${BASEDIR}/log"                "${BUILD_DIR}/usr/src/log"
+       mount --bind -o ro      "${BASEDIR}/src"                "${BUILD_DIR}/usr/src/src"
 
        # Mount the ccache
        mount --bind "${CCACHE_DIR}"            "${BUILD_DIR}/usr/src/ccache"
Michael's tree of IPFire 2.x.