From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 5 Jan 2024 15:42:46 +0000 (+0100)
Subject: nspawn: set read-only access mode on two /run/host/ files
X-Git-Tag: v256-rc1~1260^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F30791%2Fhead;p=thirdparty%2Fsystemd.git

nspawn: set read-only access mode on two /run/host/ files

The diectory is mounted read-only anyway, hence this doesn't do much,
but let's lock this down on every level we can.
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 9e53c51f1ac..3ace3520b9c 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3946,11 +3946,11 @@ static int outer_child(
 
         /* The same stuff as the $container env var, but nicely readable for the entire payload */
         p = prefix_roota(directory, "/run/host/container-manager");
-        (void) write_string_file(p, arg_container_service_name, WRITE_STRING_FILE_CREATE);
+        (void) write_string_file(p, arg_container_service_name, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MODE_0444);
 
         /* The same stuff as the $container_uuid env var */
         p = prefix_roota(directory, "/run/host/container-uuid");
-        (void) write_string_filef(p, WRITE_STRING_FILE_CREATE, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid));
+        (void) write_string_filef(p, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_MODE_0444, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid));
 
         if (!arg_use_cgns) {
                 r = mount_cgroups(