make /stacker read only

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
project-stacker · May 18, 2018 · 9942062 · 9942062
1 parent 20986e9
commit 9942062
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 7 deletions.
diff --git a/container.go b/container.go
@@ -164,7 +164,7 @@ func newContainer(sc StackerConfig, name string) (*container, error) {
 		}
 	}
 
-	err = c.bindMount("/sys", "/sys")
+	err = c.bindMount("/sys", "/sys", "")
 	if err != nil {
 		return nil, err
 	}
@@ -178,14 +178,14 @@ func newContainer(sc StackerConfig, name string) (*container, error) {
 	return c, nil
 }
 
-func (c *container) bindMount(source string, dest string) error {
+func (c *container) bindMount(source string, dest string, extraOpts string) error {
 	createOpt := "create=dir"
 	stat, err := os.Lstat(source)
 	if err == nil && !stat.IsDir() {
 		createOpt = "create=file"
 	}
 
-	val := fmt.Sprintf("%s %s none rbind,%s", source, strings.TrimPrefix(dest, "/"), createOpt)
+	val := fmt.Sprintf("%s %s none rbind,%s,%s", source, strings.TrimPrefix(dest, "/"), createOpt, extraOpts)
 	return c.setConfig("lxc.mount.entry", val)
 }
 

diff --git a/grab.go b/grab.go
@@ -17,7 +17,7 @@ func Grab(sc StackerConfig, name string, source string) error {
 		return err
 	}
 
-	err = c.bindMount(cwd, "/stacker")
+	err = c.bindMount(cwd, "/stacker", "")
 	if err != nil {
 		return err
 	}

diff --git a/run.go b/run.go
@@ -16,14 +16,14 @@ func Run(sc StackerConfig, name string, command string, l *Layer, onFailure stri
 
 	importsDir := path.Join(sc.StackerDir, "imports", name)
 	if _, err := os.Stat(importsDir); err == nil {
-		err = c.bindMount(importsDir, "/stacker")
+		err = c.bindMount(importsDir, "/stacker", "ro")
 		if err != nil {
 			return err
 		}
 		defer os.Remove(path.Join(sc.RootFSDir, ".working", "rootfs", "stacker"))
 	}
 
-	err = c.bindMount("/etc/resolv.conf", "/etc/resolv.conf")
+	err = c.bindMount("/etc/resolv.conf", "/etc/resolv.conf", "")
 	if err != nil {
 		return err
 	}
@@ -45,7 +45,7 @@ func Run(sc StackerConfig, name string, command string, l *Layer, onFailure stri
 			target = strings.TrimSpace(parts[1])
 		}
 
-		err = c.bindMount(source, target)
+		err = c.bindMount(source, target, "")
 		if err != nil {
 			return err
 		}

diff --git a/test/env.bats b/test/env.bats
@@ -0,0 +1,18 @@
+load helpers
+
+function teardown() {
+    cleanup
+}
+
+@test "/stacker is ro" {
+    cat > stacker.yaml <<EOF
+test:
+    from:
+        type: docker
+        url: docker://centos:latest
+    run: |
+        # make sure that /stacker is reasonly
+        grep "/stacker" /proc/mounts | grep -P "\sro[\s,]"
+EOF
+    stacker build
+}