From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 27 Sep 2023 09:55:59 +0000 (+0200)
Subject: core: Make private /dev read-only after populating it
X-Git-Tag: v255-rc1~366^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade;p=thirdparty%2Fsystemd.git

core: Make private /dev read-only after populating it
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index e2304f5d066..d1153f76901 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -995,6 +995,11 @@ static int mount_private_dev(MountEntry *m) {
         if (r < 0)
                 log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
 
+        /* Make the bind mount read-only. */
+        r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
+        if (r < 0)
+                return r;
+
         /* Create the /dev directory if missing. It is more likely to be missing when the service is started
          * with RootDirectory. This is consistent with mount units creating the mount points when missing. */
         (void) mkdir_p_label(mount_entry_path(m), 0755);