From bbd407ea2bc5ab1fed06868a9d42b4095251e5f7 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.de_meyer@otnsystems.com>
Date: Mon, 23 Dec 2019 11:50:02 +0100
Subject: [PATCH] nspawn: Don't mount read-only if we have a custom mount on
 root.

---
 src/nspawn/nspawn-mount.c | 13 +++++++++++++
 src/nspawn/nspawn-mount.h |  1 +
 src/nspawn/nspawn.c       |  3 ++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index f423f625905..6afc31d824b 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -989,6 +989,19 @@ int mount_custom(
         return 0;
 }
 
+bool has_custom_root_mount(const CustomMount *mounts, size_t n) {
+        size_t i;
+
+        for (i = 0; i < n; i++) {
+                const CustomMount *m = mounts + i;
+
+                if (path_equal(m->destination, "/"))
+                        return true;
+        }
+
+        return false;
+}
+
 static int setup_volatile_state(const char *directory, uid_t uid_shift, const char *selinux_apifs_context) {
 
         _cleanup_free_ char *buf = NULL;
diff --git a/src/nspawn/nspawn-mount.h b/src/nspawn/nspawn-mount.h
index aabc9e29bef..680ff350e5d 100644
--- a/src/nspawn/nspawn-mount.h
+++ b/src/nspawn/nspawn-mount.h
@@ -55,6 +55,7 @@ int mount_all(const char *dest, MountSettingsMask mount_settings, uid_t uid_shif
 int mount_sysfs(const char *dest, MountSettingsMask mount_settings);
 
 int mount_custom(const char *dest, CustomMount *mounts, size_t n, uid_t uid_shift, const char *selinux_apifs_context, MountSettingsMask mount_settings);
+bool has_custom_root_mount(const CustomMount *mounts, size_t n);
 
 int setup_volatile_mode(const char *directory, VolatileMode mode, uid_t uid_shift, const char *selinux_apifs_context);
 
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 32294ed0029..f0f9f6eceba 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3438,7 +3438,8 @@ static int outer_child(
         if (r < 0)
                 return r;
 
-        if (arg_read_only && arg_volatile_mode == VOLATILE_NO) {
+        if (arg_read_only && arg_volatile_mode == VOLATILE_NO &&
+                !has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts)) {
                 r = bind_remount_recursive(directory, MS_RDONLY, MS_RDONLY, NULL);
                 if (r < 0)
                         return log_error_errno(r, "Failed to make tree read-only: %m");
-- 
2.39.2