From ff3953efe1aec2229273cd59e7d35a540de0e476 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Amadeusz=20=C5=BBo=C5=82nowski?= Date: Thu, 26 Jul 2012 16:44:09 +0200 Subject: [PATCH] ro_mnt - option at build time to force ro mount of / and /usr --- dracut.conf | 3 +++ dracut.conf.5.asc | 3 +++ dracut.sh | 6 +++++- modules.d/99base/module-setup.sh | 3 +++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/dracut.conf b/dracut.conf index f47d571..f912acc 100644 --- a/dracut.conf +++ b/dracut.conf @@ -43,6 +43,9 @@ lvmconf="yes" # inhibit installation of any fsck tools #nofscks="yes" +# mount / and /usr read-only by default +#ro_mnt="no" + # set the directory for temporary files # default: /var/tmp #tmpdir=/tmp diff --git a/dracut.conf.5.asc b/dracut.conf.5.asc index d17477d..89bbf61 100644 --- a/dracut.conf.5.asc +++ b/dracut.conf.5.asc @@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro *nofscks=*"__{yes|no}__":: If specified, inhibit installation of any fsck tools. +*ro_mnt* + Mount _/_ and _/usr_ read-only by default. + *kernel_only=*"__{yes|no}__":: Only install kernel drivers and firmware files. (default=no) diff --git a/dracut.sh b/dracut.sh index d8b3354..eee829e 100755 --- a/dracut.sh +++ b/dracut.sh @@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules --nolvmconf Do not include local /etc/lvm/lvm.conf --fscks [LIST] Add a space-separated list of fsck helpers. --nofscks Inhibit installation of any fsck helpers. + --ro-mnt Mount / and /usr read-only by default. -h, --help This message --debug Output debug information of the build process --profile Output profile information of the build process @@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \ --long add-fstab: \ --long mount: \ --long nofscks: \ + --long ro-mnt \ --long kmoddir: \ --long conf: \ --long confdir: \ @@ -326,6 +328,7 @@ while :; do --add-fstab) push add_fstab_l "$2"; shift;; --mount) push fstab_lines "$2"; shift;; --nofscks) nofscks_l="yes";; + --ro-mnt) ro_mnt_l="yes";; -k|--kmoddir) drivers_dir_l="$2"; shift;; -c|--conf) conffile="$2"; shift;; --confdir) confdir="$2"; shift;; @@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l)) [[ $compress_l ]] && compress=$compress_l [[ $show_modules_l ]] && show_modules=$show_modules_l [[ $nofscks_l ]] && nofscks="yes" +[[ $ro_mnt_l ]] && ro_mnt="yes" # eliminate IFS hackery when messing with fw_dir fw_dir=${fw_dir//:/ } @@ -779,7 +783,7 @@ fi export initdir dracutbasedir dracutmodules drivers \ fw_dir drivers_dir debug no_kernel kernel_only \ add_drivers omit_drivers mdadmconf lvmconf filesystems \ - use_fstab fstab_lines libdirs fscks nofscks \ + use_fstab fstab_lines libdirs fscks nofscks ro_mnt \ stdloglvl sysloglvl fileloglvl kmsgloglvl logfile \ debug host_fs_types host_devs sshkey add_fstab \ DRACUT_VERSION udevdir systemdutildir systemdsystemunitdir \ diff --git a/modules.d/99base/module-setup.sh b/modules.d/99base/module-setup.sh index f20ca1a..dde1285 100755 --- a/modules.d/99base/module-setup.sh +++ b/modules.d/99base/module-setup.sh @@ -50,6 +50,9 @@ install() { fi ln -fs /proc/self/mounts "$initdir/etc/mtab" + if [[ $ro_mnt = yes ]]; then + echo ro >> "${initdir}/etc/cmdline.d/base.conf" + fi if [ -e /etc/os-release ]; then . /etc/os-release