[buildd-tools-devel] Bug#623913: Bug#623913: schroot: Please support read-only bind-mounts
Ralf Jung
post at ralfj.de
Sun Feb 23 22:06:26 UTC 2014
Hi,
> I recall that there's a reason why "ro,bind" doesn't work
> directly--you have to do two bind mounts to get it properly
> read-only. Is that correct? What's the recommended sequence to make
> this work properly? If we see "ro" and "bind" in the mount options,
> we can probably special-case it; but if it's doable directly in the
> fstab file, that would be even better. can you do it with two
> entries?
I don't know the reason, why a normal mount does not work. But the
following works:
mount -o bind /original /mounted
mount -o remount,bind,ro /mounted
Options are only applied when re-mounting. Adding the same entry to the
fstab twice does not work.
> Definitely. If we can do this as for ro, that sounds like a good
> idea.
>
> WRT the "root" mount, this will vary depending upon the chroot type.
> For example, we have mount options for LVM-snapshot and block-device
> type chroots already. We don't for btrfs, but we could potentially
> remount the subvolume. Other non-mountable types might be unpacked
> directly on /var, in which case we would have to do bind mount on to
> of the mount trickery?
I am using "directory" chroots, which are bind-mounted into
/var/lib/schroot/mount, so it should work for them as well. I just don't
have a way to configure this. Of course if the chroot is in a tar-file
and unpacked, this cannot work. One could bind-mount the folder on
itself though, and then re-mount it read-only...^^
For now, I went with a solution that "works for me" (TM) without being
particularly elegant: Add [1] to setup.d and [2] into my profile directory.
[1]
http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/setup.d/80schsh-hardening
[2]
http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/schsh/schsh-hardening
A proper solution would probably be to patch schroot-mount to check if
the "ro" option is present (or any option other than rw and bind, for
that matter), and then do a re-mount immediately after the mount. Plus
some patches in setup.d/10mount for the root case...
Kind regards
Ralf
More information about the Buildd-tools-devel
mailing list