Skip to content

Commit

Permalink
cmd/initContainer: Be aware of security hardened / or /etc
Browse files Browse the repository at this point in the history
On new builds of GNOME OS [1], the host's / is mounted with 'nodev,...'
and those flags are also inherited by /etc because it's not a separate
mount point.  This leads to the same problem with /etc/machine-id that
was seen before with /var/lib/flatpak, /var/lib/systemd/coredump and
/var/log/journal [2].

Therefore, use the same approach [2] to handle /etc/machine-id.

[1] https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/718

[2] Commit 1cc9e07
    containers@1cc9e07b7c36fe9f
    containers#1340

containers#911

Signed-off-by: Jordan Petridis <[email protected]>
  • Loading branch information
alatiera authored and debarshiray committed Aug 22, 2023
1 parent a0514cb commit 3ed0af5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/cmd/initContainer.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ var (
source string
flags string
}{
{"/etc/machine-id", "/run/host/etc/machine-id", "ro"},
{"/etc/machine-id", "/run/host/etc/machine-id", ""},
{"/run/libvirt", "/run/host/run/libvirt", ""},
{"/run/systemd/journal", "/run/host/run/systemd/journal", ""},
{"/run/systemd/resolve", "/run/host/run/systemd/resolve", ""},
Expand Down

0 comments on commit 3ed0af5

Please sign in to comment.