ro_mnt - option at build time to force ro mount of / and /usr

12 years ago · ff3953efe1
4 changed files with 14 additions and 1 deletions
--- a/dracut.conf
+++ b/dracut.conf
@ -43,6 +43,9 @@ lvmconf="yes"
				@@ -43,6 +43,9 @@ lvmconf="yes"
 # inhibit installation of any fsck tools
 #nofscks="yes"

+# mount / and /usr read-only by default
+#ro_mnt="no"
+
 # set the directory for temporary files
 # default: /var/tmp
 #tmpdir=/tmp
--- a/dracut.conf.5.asc
+++ b/dracut.conf.5.asc
@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro
				@@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro
 *nofscks=*"__{yes|no}__"::
    If specified, inhibit installation of any fsck tools.

+*ro_mnt*
+    Mount _/_ and _/usr_ read-only by default.
+
 *kernel_only=*"__{yes|no}__"::
    Only install kernel drivers and firmware files. (default=no)

--- a/dracut.sh
+++ b/dracut.sh
@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules
				@@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules
  --nolvmconf           Do not include local /etc/lvm/lvm.conf
  --fscks [LIST]        Add a space-separated list of fsck helpers.
  --nofscks             Inhibit installation of any fsck helpers.
+  --ro-mnt              Mount / and /usr read-only by default.
  -h, --help            This message
  --debug               Output debug information of the build process
  --profile             Output profile information of the build process
@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \
				@@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \
    --long add-fstab: \
    --long mount: \
    --long nofscks: \
+    --long ro-mnt \
    --long kmoddir: \
    --long conf: \
    --long confdir: \
@ -326,6 +328,7 @@ while :; do
				@@ -326,6 +328,7 @@ while :; do
        --add-fstab)   push add_fstab_l          "$2"; shift;;
        --mount)       push fstab_lines          "$2"; shift;;
        --nofscks)     nofscks_l="yes";;
+        --ro-mnt)      ro_mnt_l="yes";;
        -k|--kmoddir)  drivers_dir_l="$2"; shift;;
        -c|--conf)     conffile="$2"; shift;;
        --confdir)     confdir="$2"; shift;;
@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))
				@@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))
 [[ $compress_l ]] && compress=$compress_l
 [[ $show_modules_l ]] && show_modules=$show_modules_l
 [[ $nofscks_l ]] && nofscks="yes"
+[[ $ro_mnt_l ]] && ro_mnt="yes"
 # eliminate IFS hackery when messing with fw_dir
 fw_dir=${fw_dir//:/ }

@ -779,7 +783,7 @@ fi
				@@ -779,7 +783,7 @@ fi
 export initdir dracutbasedir dracutmodules drivers \
    fw_dir drivers_dir debug no_kernel kernel_only \
    add_drivers omit_drivers mdadmconf lvmconf filesystems \
-    use_fstab fstab_lines libdirs fscks nofscks \
+    use_fstab fstab_lines libdirs fscks nofscks ro_mnt \
    stdloglvl sysloglvl fileloglvl kmsgloglvl logfile \
    debug host_fs_types host_devs sshkey add_fstab \
    DRACUT_VERSION udevdir systemdutildir systemdsystemunitdir \
--- a/modules.d/99base/module-setup.sh
+++ b/modules.d/99base/module-setup.sh
@ -50,6 +50,9 @@ install() {
				@@ -50,6 +50,9 @@ install() {
    fi

    ln -fs /proc/self/mounts "$initdir/etc/mtab"
+    if [[ $ro_mnt = yes ]]; then
+        echo ro >> "${initdir}/etc/cmdline.d/base.conf"
+    fi

    if [ -e /etc/os-release ]; then
        . /etc/os-release