dracut/0050-ro_mnt-option-at-build-time-to-force-ro-mount-of-and.patch

From ff3953efe1aec2229273cd59e7d35a540de0e476 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Amadeusz=20=C5=BBo=C5=82nowski?= <aidecoe@aidecoe.name>
Date: Thu, 26 Jul 2012 16:44:09 +0200
Subject: [PATCH] ro_mnt - option at build time to force ro mount of / and
 /usr

---
 dracut.conf                      | 3 +++
 dracut.conf.5.asc                | 3 +++
 dracut.sh                        | 6 +++++-
 modules.d/99base/module-setup.sh | 3 +++
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/dracut.conf b/dracut.conf
index f47d571..f912acc 100644
--- a/dracut.conf
+++ b/dracut.conf
@@ -43,6 +43,9 @@ lvmconf="yes"
 # inhibit installation of any fsck tools
 #nofscks="yes"
 
+# mount / and /usr read-only by default
+#ro_mnt="no"
+
 # set the directory for temporary files
 # default: /var/tmp
 #tmpdir=/tmp
diff --git a/dracut.conf.5.asc b/dracut.conf.5.asc
index d17477d..89bbf61 100644
--- a/dracut.conf.5.asc
+++ b/dracut.conf.5.asc
@@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro
 *nofscks=*"__{yes|no}__"::
     If specified, inhibit installation of any fsck tools.
 
+*ro_mnt*
+    Mount _/_ and _/usr_ read-only by default.
+
 *kernel_only=*"__{yes|no}__"::
     Only install kernel drivers and firmware files. (default=no)
 
diff --git a/dracut.sh b/dracut.sh
index d8b3354..eee829e 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules
   --nolvmconf           Do not include local /etc/lvm/lvm.conf
   --fscks [LIST]        Add a space-separated list of fsck helpers.
   --nofscks             Inhibit installation of any fsck helpers.
+  --ro-mnt              Mount / and /usr read-only by default.
   -h, --help            This message
   --debug               Output debug information of the build process
   --profile             Output profile information of the build process
@@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \
     --long add-fstab: \
     --long mount: \
     --long nofscks: \
+    --long ro-mnt \
     --long kmoddir: \
     --long conf: \
     --long confdir: \
@@ -326,6 +328,7 @@ while :; do
         --add-fstab)   push add_fstab_l          "$2"; shift;;
         --mount)       push fstab_lines          "$2"; shift;;
         --nofscks)     nofscks_l="yes";;
+        --ro-mnt)      ro_mnt_l="yes";;
         -k|--kmoddir)  drivers_dir_l="$2"; shift;;
         -c|--conf)     conffile="$2"; shift;;
         --confdir)     confdir="$2"; shift;;
@@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))
 [[ $compress_l ]] && compress=$compress_l
 [[ $show_modules_l ]] && show_modules=$show_modules_l
 [[ $nofscks_l ]] && nofscks="yes"
+[[ $ro_mnt_l ]] && ro_mnt="yes"
 # eliminate IFS hackery when messing with fw_dir
 fw_dir=${fw_dir//:/ }
 
@@ -779,7 +783,7 @@ fi
 export initdir dracutbasedir dracutmodules drivers \
     fw_dir drivers_dir debug no_kernel kernel_only \
     add_drivers omit_drivers mdadmconf lvmconf filesystems \
-    use_fstab fstab_lines libdirs fscks nofscks \
+    use_fstab fstab_lines libdirs fscks nofscks ro_mnt \
     stdloglvl sysloglvl fileloglvl kmsgloglvl logfile \
     debug host_fs_types host_devs sshkey add_fstab \
     DRACUT_VERSION udevdir systemdutildir systemdsystemunitdir \
diff --git a/modules.d/99base/module-setup.sh b/modules.d/99base/module-setup.sh
index f20ca1a..dde1285 100755
--- a/modules.d/99base/module-setup.sh
+++ b/modules.d/99base/module-setup.sh
@@ -50,6 +50,9 @@ install() {
     fi
 
     ln -fs /proc/self/mounts "$initdir/etc/mtab"
+    if [[ $ro_mnt = yes ]]; then
+        echo ro >> "${initdir}/etc/cmdline.d/base.conf"
+    fi
 
     if [ -e /etc/os-release ]; then
         . /etc/os-release
dracut-022-63.git20120727 - fixed dracut-install bug if /var/tmp contains a symlink - fixed some partx issues 2012-07-27 04:28:40 +00:00			`From ff3953efe1aec2229273cd59e7d35a540de0e476 Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Amadeusz=20=C5=BBo=C5=82nowski?= <aidecoe@aidecoe.name>`
			`Date: Thu, 26 Jul 2012 16:44:09 +0200`
			`Subject: [PATCH] ro_mnt - option at build time to force ro mount of / and`
			`/usr`

			`---`
			`dracut.conf \| 3 +++`
			`dracut.conf.5.asc \| 3 +++`
			`dracut.sh \| 6 +++++-`
			`modules.d/99base/module-setup.sh \| 3 +++`
			`4 files changed, 14 insertions(+), 1 deletion(-)`

			`diff --git a/dracut.conf b/dracut.conf`
			`index f47d571..f912acc 100644`
			`--- a/dracut.conf`
			`+++ b/dracut.conf`
			`@@ -43,6 +43,9 @@ lvmconf="yes"`
			`# inhibit installation of any fsck tools`
			`#nofscks="yes"`

			`+# mount / and /usr read-only by default`
			`+#ro_mnt="no"`
			`+`
			`# set the directory for temporary files`
			`# default: /var/tmp`
			`#tmpdir=/tmp`
			`diff --git a/dracut.conf.5.asc b/dracut.conf.5.asc`
			`index d17477d..89bbf61 100644`
			`--- a/dracut.conf.5.asc`
			`+++ b/dracut.conf.5.asc`
			`@@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro`
			`nofscks="__{yes\|no}__"::`
			`If specified, inhibit installation of any fsck tools.`

			`+ro_mnt`
			`+ Mount _/_ and _/usr_ read-only by default.`
			`+`
			`kernel_only="__{yes\|no}__"::`
			`Only install kernel drivers and firmware files. (default=no)`

			`diff --git a/dracut.sh b/dracut.sh`
			`index d8b3354..eee829e 100755`
			`--- a/dracut.sh`
			`+++ b/dracut.sh`
			`@@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules`
			`--nolvmconf Do not include local /etc/lvm/lvm.conf`
			`--fscks [LIST] Add a space-separated list of fsck helpers.`
			`--nofscks Inhibit installation of any fsck helpers.`
			`+ --ro-mnt Mount / and /usr read-only by default.`
			`-h, --help This message`
			`--debug Output debug information of the build process`
			`--profile Output profile information of the build process`
			`@@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \`
			`--long add-fstab: \`
			`--long mount: \`
			`--long nofscks: \`
			`+ --long ro-mnt \`
			`--long kmoddir: \`
			`--long conf: \`
			`--long confdir: \`
			`@@ -326,6 +328,7 @@ while :; do`
			`--add-fstab) push add_fstab_l "$2"; shift;;`
			`--mount) push fstab_lines "$2"; shift;;`
			`--nofscks) nofscks_l="yes";;`
			`+ --ro-mnt) ro_mnt_l="yes";;`
			`-k\|--kmoddir) drivers_dir_l="$2"; shift;;`
			`-c\|--conf) conffile="$2"; shift;;`
			`--confdir) confdir="$2"; shift;;`
			`@@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))`
			`[[ $compress_l ]] && compress=$compress_l`
			`[[ $show_modules_l ]] && show_modules=$show_modules_l`
			`[[ $nofscks_l ]] && nofscks="yes"`
			`+[[ $ro_mnt_l ]] && ro_mnt="yes"`
			`# eliminate IFS hackery when messing with fw_dir`
			`fw_dir=${fw_dir//:/ }`

			`@@ -779,7 +783,7 @@ fi`
			`export initdir dracutbasedir dracutmodules drivers \`
			`fw_dir drivers_dir debug no_kernel kernel_only \`
			`add_drivers omit_drivers mdadmconf lvmconf filesystems \`
			`- use_fstab fstab_lines libdirs fscks nofscks \`
			`+ use_fstab fstab_lines libdirs fscks nofscks ro_mnt \`
			`stdloglvl sysloglvl fileloglvl kmsgloglvl logfile \`
			`debug host_fs_types host_devs sshkey add_fstab \`
			`DRACUT_VERSION udevdir systemdutildir systemdsystemunitdir \`
			`diff --git a/modules.d/99base/module-setup.sh b/modules.d/99base/module-setup.sh`
			`index f20ca1a..dde1285 100755`
			`--- a/modules.d/99base/module-setup.sh`
			`+++ b/modules.d/99base/module-setup.sh`
			`@@ -50,6 +50,9 @@ install() {`
			`fi`

			`ln -fs /proc/self/mounts "$initdir/etc/mtab"`
			`+ if [[ $ro_mnt = yes ]]; then`
			`+ echo ro >> "${initdir}/etc/cmdline.d/base.conf"`
			`+ fi`

			`if [ -e /etc/os-release ]; then`
			`. /etc/os-release`