feat: readonly paths

README.md

@@ -184,6 +184,7 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [x] linux_devices
 - [x] linux_masked_paths
 - [x] linux_mount_label
+- [x] linux_readonly_paths
 - [x] linux_rootfs_propagation
 - [x] linux_sysctl
 - [x] mounts
@@ -221,7 +222,6 @@ Tests are run on every build in [this Github Action](https://github.com/nixpig/b
 - [ ] linux_ns_path
 - [ ] linux_ns_path_type
 - [ ] linux_process_apparmor_profile
-- [ ] linux_readonly_paths
 - [ ] linux_seccomp
 - [ ] linux_uid_mappings
 - [ ] misc_props

container/container_fork.go

@@ -85,7 +85,15 @@ func (c *Container) Fork() error {
 			return err
 		}
 
-		if err := filesystem.MountMaskedPaths(c.Spec.Linux.MaskedPaths); err != nil {
+		if err := filesystem.MountMaskedPaths(
+			c.Spec.Linux.MaskedPaths,
+		); err != nil {
+			return err
+		}
+
+		if err := filesystem.MountReadonlyPaths(
+			c.Spec.Linux.ReadonlyPaths,
+		); err != nil {
 			return err
 		}
 

container/filesystem/readonly_paths.go

@@ -0,0 +1,30 @@
+package filesystem
+
+import "syscall"
+
+func MountReadonlyPaths(paths []string) error {
+	for _, path := range paths {
+		if err := mountDevice(Device{
+			Source: path,
+			Target: path,
+			Fstype: "",
+			Flags:  syscall.MS_REC | syscall.MS_BIND,
+			Data:   "",
+		}); err != nil {
+			return err
+		}
+
+		if err := mountDevice(Device{
+			Source: path,
+			Target: path,
+			Fstype: "",
+			Flags: syscall.MS_NOSUID | syscall.MS_NODEV | syscall.MS_NOEXEC |
+				syscall.MS_BIND | syscall.MS_REMOUNT | syscall.MS_RDONLY,
+			Data: "",
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

oci.sh

@@ -39,7 +39,7 @@ tests=(
 # "linux_ns_path"
 # "linux_ns_path_type"
 # "linux_process_apparmor_profile" # ???
-# "linux_readonly_paths"
+  "linux_readonly_paths"
   "linux_rootfs_propagation"
 # "linux_seccomp"
   "linux_sysctl"