From 27b8db2421dae81ca58300621e48e13f93a91150 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 5 Jul 2024 08:21:10 +0000 Subject: [PATCH] make.sh: Create all bind-mounts as read-only where possible This way, the build environment can no longer modify any source any more. This was not a huge integrity problem before as Git would have shown differences, but it might cause damage to the build system which need to manually be recovered. Signed-off-by: Michael Tremer --- make.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/make.sh b/make.sh index e58788b5b1..e2119ef2f1 100755 --- a/make.sh +++ b/make.sh @@ -480,15 +480,15 @@ prepareenv() { -t tmpfs -o "nosuid,nodev,strictatime,size=4G,nr_inodes=1M,mode=1777" # Make all sources and proc available under lfs build - mount --bind /sys "${BUILD_DIR}/sys" - mount --bind "${BASEDIR}/cache" "${BUILD_DIR}/usr/src/cache" - mount --bind "${BASEDIR}/config" "${BUILD_DIR}/usr/src/config" - mount --bind "${BASEDIR}/doc" "${BUILD_DIR}/usr/src/doc" - mount --bind "${BASEDIR}/html" "${BUILD_DIR}/usr/src/html" - mount --bind "${BASEDIR}/langs" "${BUILD_DIR}/usr/src/langs" - mount --bind "${BASEDIR}/lfs" "${BUILD_DIR}/usr/src/lfs" - mount --bind "${BASEDIR}/log" "${BUILD_DIR}/usr/src/log" - mount --bind "${BASEDIR}/src" "${BUILD_DIR}/usr/src/src" + mount --bind /sys "${BUILD_DIR}/sys" + mount --bind -o ro "${BASEDIR}/cache" "${BUILD_DIR}/usr/src/cache" + mount --bind -o ro "${BASEDIR}/config" "${BUILD_DIR}/usr/src/config" + mount --bind -o ro "${BASEDIR}/doc" "${BUILD_DIR}/usr/src/doc" + mount --bind -o ro "${BASEDIR}/html" "${BUILD_DIR}/usr/src/html" + mount --bind -o ro "${BASEDIR}/langs" "${BUILD_DIR}/usr/src/langs" + mount --bind -o ro "${BASEDIR}/lfs" "${BUILD_DIR}/usr/src/lfs" + mount --bind "${BASEDIR}/log" "${BUILD_DIR}/usr/src/log" + mount --bind -o ro "${BASEDIR}/src" "${BUILD_DIR}/usr/src/src" # Mount the ccache mount --bind "${CCACHE_DIR}" "${BUILD_DIR}/usr/src/ccache" -- 2.47.3