diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-04-19 22:47:33 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-05-15 19:46:53 +0200 |
commit | 8337ea90912302143734fa5ae23be1dcbefa14bd (patch) | |
tree | 23149c86810832c106324848751ca743da25f9f1 | |
parent | 2769b27cf3cf1503fa8cd1712a7f1a30d5a8c607 (diff) | |
download | systemd-8337ea90912302143734fa5ae23be1dcbefa14bd.tar.gz |
dissect: ext4 and loopback files are unimpressed by read-only access
Even if we set up a loopback device read-only and mount it read-only
this means nothing, ext4 will still write through to the backing storage
file.
Yes, I lost 6h debugging time on this.
Apparently, we have to specify "norecovery" when mounting such file
systems, to force them into truly read-only mode. Let's do so.
(cherry picked from commit b620bf332f575ba9b8e4cd60c93446a0c35c23e8)
(cherry picked from commit 8c7bc71e772899a401b377711b63de32a67c951d)
-rw-r--r-- | src/shared/dissect-image.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index e8bb88d89a..b9cfdd8028 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -1356,6 +1356,27 @@ static int mount_partition( if (!strextend_with_separator(&options, ",", m->mount_options, NULL)) return -ENOMEM; + /* So, when you request MS_RDONLY from ext4, then this means nothing. It happily still writes to the + * backing storage. What's worse, the BLKRO[GS]ET flag and (in case of loopback devices) + * LO_FLAGS_READ_ONLY don't mean anything, they affect userspace accesses only, and write accesses + * from the upper file system still get propagated through to the underlying file system, + * unrestricted. To actually get ext4/xfs/btrfs to stop writing to the device we need to specify + * "norecovery" as mount option, in addition to MS_RDONLY. Yes, this sucks, since it means we need to + * carry a per file system table here. + * + * Note that this means that we might not be able to mount corrupted file systems as read-only + * anymore (since in some cases the kernel implementations will refuse mounting when corrupted, + * read-only and "norecovery" is specified). But I think for the case of automatically determined + * mount options for loopback devices this is the right choice, since otherwise using the same + * loopback file twice even in read-only mode, is going to fail badly sooner or later. The usecase of + * making reuse of the immutable images "just work" is more relevant to us than having read-only + * access that actually modifies stuff work on such image files. Or to say this differently: if + * people want their file systems to be fixed up they should just open them in writable mode, where + * all these problems don't exist. */ + if (!rw && STRPTR_IN_SET(fstype, "ext3", "ext4", "xfs", "btrfs")) + if (!strextend_with_separator(&options, ",", "norecovery", NULL)) + return -ENOMEM; + r = mount_nofollow_verbose(LOG_DEBUG, node, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), options); if (r < 0) return r; |