dissect: ext4 and loopback files are unimpressed by read-only access

Even if we set up a loopback device read-only and mount it read-only this means nothing, ext4 will still write through to the backing storage file. Yes, I lost 6h debugging time on this. Apparently, we have to specify "norecovery" when mounting such file systems, to force them into truly read-only mode. Let's do so. (cherry picked from commit b620bf332f575ba9b8e4cd60c93446a0c35c23e8) (cherry picked from commit 8c7bc71e772899a401b377711b63de32a67c951d)
author: Lennart Poettering <lennart@poettering.net> 2021-04-19 22:47:33 +0200
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2021-05-15 19:46:53 +0200
commit: 8337ea90912302143734fa5ae23be1dcbefa14bd (patch)
tree: 23149c86810832c106324848751ca743da25f9f1
parent: 2769b27cf3cf1503fa8cd1712a7f1a30d5a8c607 (diff)
download: systemd-8337ea90912302143734fa5ae23be1dcbefa14bd.tar.gz
1 files changed, 21 insertions, 0 deletions
diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index e8bb88d89a..b9cfdd8028 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -1356,6 +1356,27 @@ static int mount_partition(
                 if (!strextend_with_separator(&options, ",", m->mount_options, NULL))
                         return -ENOMEM;
 
+        /* So, when you request MS_RDONLY from ext4, then this means nothing. It happily still writes to the
+         * backing storage. What's worse, the BLKRO[GS]ET flag and (in case of loopback devices)
+         * LO_FLAGS_READ_ONLY don't mean anything, they affect userspace accesses only, and write accesses
+         * from the upper file system still get propagated through to the underlying file system,
+         * unrestricted. To actually get ext4/xfs/btrfs to stop writing to the device we need to specify
+         * "norecovery" as mount option, in addition to MS_RDONLY. Yes, this sucks, since it means we need to
+         * carry a per file system table here.
+         *
+         * Note that this means that we might not be able to mount corrupted file systems as read-only
+         * anymore (since in some cases the kernel implementations will refuse mounting when corrupted,
+         * read-only and "norecovery" is specified). But I think for the case of automatically determined
+         * mount options for loopback devices this is the right choice, since otherwise using the same
+         * loopback file twice even in read-only mode, is going to fail badly sooner or later. The usecase of
+         * making reuse of the immutable images "just work" is more relevant to us than having read-only
+         * access that actually modifies stuff work on such image files. Or to say this differently: if
+         * people want their file systems to be fixed up they should just open them in writable mode, where
+         * all these problems don't exist. */
+        if (!rw && STRPTR_IN_SET(fstype, "ext3", "ext4", "xfs", "btrfs"))
+                if (!strextend_with_separator(&options, ",", "norecovery", NULL))
+                        return -ENOMEM;
+
         r = mount_nofollow_verbose(LOG_DEBUG, node, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), options);
         if (r < 0)
                 return r;
author	Lennart Poettering <lennart@poettering.net>	2021-04-19 22:47:33 +0200
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2021-05-15 19:46:53 +0200
commit	8337ea90912302143734fa5ae23be1dcbefa14bd (patch)
tree	23149c86810832c106324848751ca743da25f9f1
parent	2769b27cf3cf1503fa8cd1712a7f1a30d5a8c607 (diff)
download	systemd-8337ea90912302143734fa5ae23be1dcbefa14bd.tar.gz