From 2436ea761b28ae4b62dda6a14e9b879734bcf1f2 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.de_meyer@otnsystems.com>
Date: Tue, 24 Dec 2019 11:40:03 +0100
Subject: [PATCH] nspawn: Make a custom mount on root imply --read-only.

---
 src/nspawn/nspawn.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index f0f9f6eceba..791bdd35321 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1541,6 +1541,9 @@ static int verify_arguments(void) {
         if (arg_volatile_mode != VOLATILE_NO) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
                 arg_read_only = true;
 
+        if (has_custom_root_mount(arg_custom_mounts, arg_n_custom_mounts))
+                arg_read_only = true;
+
         if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0)
                 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
                  * The latter is not technically a user session, but we don't need to labour the point. */
-- 
2.47.3