From: Daan De Meyer <daan.de_meyer@otnsystems.com>
Date: Tue, 24 Dec 2019 10:40:03 +0000 (+0100)
Subject: nspawn: Make a custom mount on root imply --read-only.
X-Git-Tag: v245-rc1~188^2
X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=commitdiff_plain;h=2436ea761b28ae4b62dda6a14e9b879734bcf1f2

nspawn: Make a custom mount on root imply --read-only.
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f0f9f6eceba..791bdd35321 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1541,6 +1541,9 @@ static int verify_arguments(void) {
         if (arg_volatile_mode != VOLATILE_NO) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
                 arg_read_only = true;
 
+        if (has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts))
+                arg_read_only = true;
+
         if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0)
                 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
                  * The latter is not technically a user session, but we don't need to labour the point. */