core: Make private /dev read-only after populating it

author Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 27 Sep 2023 09:55:59 +0000 (11:55 +0200)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Fri, 29 Sep 2023 09:02:06 +0000 (11:02 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 27 Sep 2023 09:55:59 +0000 (11:55 +0200)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Fri, 29 Sep 2023 09:02:06 +0000 (11:02 +0200)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index e2304f5d066da8b345bf69fa4f21786519d011b7..d1153f76901400d15c61153694aed5aac0d77046 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -995,6 +995,11 @@ static int mount_private_dev(MountEntry *m) {
          if (r < 0)
                  log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount);
  
+        /* Make the bind mount read-only. */
+        r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL);
+        if (r < 0)
+                return r;
+
          /* Create the /dev directory if missing. It is more likely to be missing when the service is started
           * with RootDirectory. This is consistent with mount units creating the mount points when missing. */
          (void) mkdir_p_label(mount_entry_path(m), 0755);
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 27 Sep 2023 09:55:59 +0000 (11:55 +0200)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Fri, 29 Sep 2023 09:02:06 +0000 (11:02 +0200)