Hi, > I recall that there's a reason why "ro,bind" doesn't work > directly--you have to do two bind mounts to get it properly > read-only. Is that correct? What's the recommended sequence to make > this work properly? If we see "ro" and "bind" in the mount options, > we can probably special-case it; but if it's doable directly in the > fstab file, that would be even better. can you do it with two > entries? I don't know the reason, why a normal mount does not work. But the following works: mount -o bind /original /mounted mount -o remount,bind,ro /mounted Options are only applied when re-mounting. Adding the same entry to the fstab twice does not work.
> Definitely. If we can do this as for ro, that sounds like a good > idea. > > WRT the "root" mount, this will vary depending upon the chroot type. > For example, we have mount options for LVM-snapshot and block-device > type chroots already. We don't for btrfs, but we could potentially > remount the subvolume. Other non-mountable types might be unpacked > directly on /var, in which case we would have to do bind mount on to > of the mount trickery? I am using "directory" chroots, which are bind-mounted into /var/lib/schroot/mount, so it should work for them as well. I just don't have a way to configure this. Of course if the chroot is in a tar-file and unpacked, this cannot work. One could bind-mount the folder on itself though, and then re-mount it read-only...^^ For now, I went with a solution that "works for me" (TM) without being particularly elegant: Add [1] to setup.d and [2] into my profile directory. [1] http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/setup.d/80schsh-hardening [2] http://www.ralfj.de/git/schsh.git/blob/HEAD:/schroot/schsh/schsh-hardening A proper solution would probably be to patch schroot-mount to check if the "ro" option is present (or any option other than rw and bind, for that matter), and then do a re-mount immediately after the mount. Plus some patches in setup.d/10mount for the root case... Kind regards Ralf -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org