From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 2 Jun 2023 07:54:18 +0000 (+0200)
Subject: fstab-generator: if we mount via roothash=/usrhash= let's imply "ro" mount option
X-Git-Tag: v254-rc1~303
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2130a2e5a6bcc12bd5417f8e2aadec89aac4ed60;p=thirdparty%2Fsystemd.git

fstab-generator: if we mount via roothash=/usrhash= let's imply "ro" mount option

If we discover the root or /usr/ fs via roothash=/usrhash= we know the
file system mounted on it will be read-only, since Verity volumes are by
definition immutable. Hence, let's imply the "ro" mount option for them.

This way the "kernel: /dev/mapper/usr: Can't open blockdev" boot-time
log message goes away, reported here:

https://github.com/systemd/systemd/issues/27682

(I do wonder though why erofs even tries to open the block device as
writable, that sounds utterly pointless for a file system that carries
the fact it is read-only even in the name...)
---

diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
index 6f69e23c058..23358ae8a29 100644
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -1408,7 +1408,12 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
         return 0;
 }
 
-static int determine_device(char **what, const char *hash, const char *name) {
+static int determine_device(
+                char **what,
+                int *rw,
+                char **options,
+                const char *hash,
+                const char *name) {
 
         assert(what);
         assert(name);
@@ -1427,17 +1432,22 @@ static int determine_device(char **what, const char *hash, const char *name) {
         if (!*what)
                 return log_oom();
 
-        log_info("Using verity %s device %s.", name, *what);
+        /* Verity is always read-only */
+        if (rw)
+                *rw = false;
+        if (options && !strextend_with_separator(options, ",", "ro"))
+                return log_oom();
 
+        log_info("Using verity %s device %s.", name, *what);
         return 1;
 }
 
 static int determine_root(void) {
-        return determine_device(&arg_root_what, arg_root_hash, "root");
+        return determine_device(&arg_root_what, &arg_root_rw, NULL, arg_root_hash, "root");
 }
 
 static int determine_usr(void) {
-        return determine_device(&arg_usr_what, arg_usr_hash, "usr");
+        return determine_device(&arg_usr_what, NULL, &arg_usr_options, arg_usr_hash, "usr");
 }
 
 /* If arg_sysroot_check is false, run as generator in the usual fashion.