From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 4 Nov 2022 18:36:31 +0000 (+0100)
Subject: loop-util: open lock fd read-only
X-Git-Tag: v253-rc1~591
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e6b7d2626de9c0faf8b34b2629e8d6d8fa85a7d;p=thirdparty%2Fsystemd.git

loop-util: open lock fd read-only

flock(2) works with file descriptors opened with O_RDONLY.

This affects SELinux systems where access to block devices is quite
restricted to avoid bypasses on filesystem objects.
---

diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
index 731ce291121..fb7e80b1b5c 100644
--- a/src/shared/loop-util.c
+++ b/src/shared/loop-util.c
@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) {
         assert(primary_fd >= 0);
         assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX));
 
-        lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
+        lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
         if (lock_fd < 0)
                 return lock_fd;