From 2859600a6fad3ccf6abb95144d2e9136b93a6e6f Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Thu, 22 Jul 2021 09:57:23 -0500
Subject: [PATCH] runtime: virtcontainers: make rootfs image read-only

Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.

fixes #1916

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 src/runtime/virtcontainers/qemu_amd64_test.go | 1 +
 src/runtime/virtcontainers/qemu_arch_base.go  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/runtime/virtcontainers/qemu_amd64_test.go b/src/runtime/virtcontainers/qemu_amd64_test.go
index 532970769ce5..106abf31c55c 100644
--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
@@ -138,6 +138,7 @@ func TestQemuAmd64AppendImage(t *testing.T) {
 			ID:       "mem0",
 			MemPath:  f.Name(),
 			Size:     (uint64)(imageStat.Size()),
+			ReadOnly: true,
 		},
 	}
 
diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go
index c1716ec48843..50a82bf5a306 100644
--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@@ -406,6 +406,7 @@ func (q *qemuArchBase) appendNvdimmImage(devices []govmmQemu.Device, path string
 		ID:       "mem0",
 		MemPath:  path,
 		Size:     (uint64)(imageStat.Size()),
+		ReadOnly: true,
 	}
 
 	devices = append(devices, object)