From eacb142b31ebbe5d493b27a5305d8edddb5a8f51 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Wed, 20 Oct 2021 19:37:28 +0200
Subject: container: bind mount rootfs onto itself

Required to pivot_root() into the rootfs. While we're at it, also make
it read-only to prevent accidental changes.
---
 src/runner/container/init.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/runner/container/init.rs b/src/runner/container/init.rs
index b489e73..68091b6 100644
--- a/src/runner/container/init.rs
+++ b/src/runner/container/init.rs
@@ -13,6 +13,9 @@ fn prepare_rootfs(rootfs: &str) -> Result<()> {
 	tar::unpack(File::open(paths::ROOTFS_ARCHIVE)?, rootfs)
 		.context("Unpacking build container rootfs failed")?;
 
+	mount::mount::<_, _, str, str>(Some(rootfs), rootfs, None, MsFlags::MS_BIND, None)
+		.context("Failed to bind mount container rootfs")?;
+
 	for dir in IntoIterator::into_iter(["pts", "shm", "mqueue"]) {
 		fs::mkdir(paths::join(&[rootfs, "dev", dir]))?;
 	}
@@ -37,6 +40,15 @@ fn prepare_rootfs(rootfs: &str) -> Result<()> {
 			.with_context(|| format!("Failed to bind mount {}", source))?;
 	}
 
+	mount::mount::<str, _, str, str>(
+		None,
+		rootfs,
+		None,
+		MsFlags::MS_REMOUNT | MsFlags::MS_BIND | MsFlags::MS_RDONLY,
+		None,
+	)
+	.context("Failed to mount container rootfs read-only")?;
+
 	Ok(())
 }
 
-- 
cgit v1.2.3