Mount /sys RO

As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80

diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall

@@ -48,7 +48,7 @@ function apt_sources_write {
 }
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get"

diskimage_builder/elements/ramdisk/init.d/10-start-base-system

@@ -2,7 +2,7 @@ mkdir -p /proc /sys /dev /boot /etc /mnt /lib/modules
 
 mount -t proc proc /proc
 
-mount -t sysfs none /sys
+mount -o ro -t sysfs none /sys
 
 UDEVD=
 if [ -x "/bin/systemd-udevd" ]; then

diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall

@@ -41,7 +41,7 @@ done
 
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo

diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall

@@ -30,7 +30,7 @@ deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
 EOF"
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo

diskimage_builder/elements/yum-minimal/root.d/08-yum-chroot

@@ -256,7 +256,9 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
 sudo mount -t proc none $TARGET_ROOT/proc
 sudo mount --bind /dev $TARGET_ROOT/dev
 sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
-sudo mount -t sysfs none $TARGET_ROOT/sys
+# Mounting /sys as RO indicates to various systemd things
+# that we are in a container
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 
 # initalize rpmdb
 sudo mkdir -p $TARGET_ROOT/var/lib/rpm

diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot

@@ -96,7 +96,7 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
 sudo mount -t proc none $TARGET_ROOT/proc
 sudo mount --bind /dev $TARGET_ROOT/dev
 sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 
 # Install filesystem, base and useful tools
 sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends filesystem

diskimage_builder/lib/common-functions

@@ -404,7 +404,14 @@ function mount_proc_dev_sys () {
     sudo mount -t proc none $TMP_MOUNT_PATH/proc
     sudo mount --bind /dev $TMP_MOUNT_PATH/dev
     sudo mount -t devpts $(mount_dev_pts_options) devpts $TMP_MOUNT_PATH/dev/pts
-    sudo mount -t sysfs none $TMP_MOUNT_PATH/sys
+    # /sys is mounted RO inside non-privledged containers, thus
+    # mounting this RO in the chroot here is an indication to
+    # systemd/udev and other things that you are inside a container.
+    # This is generically safe and can help avoid issues where things
+    # we don't control like pre/post scripts try to do things that
+    # don't work when building inside a dib container like udevadm
+    # --settle calls, etc.
+    sudo mount -o ro -t sysfs none $TMP_MOUNT_PATH/sys
 }
 
 # Recursively unmount directories under a given directory DIR

releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Base installs now mount ``/sys`` read-only in chroot environemnts.
+    This is a good indication to various tools and scripts that that
+    they are running in a unprivileged/containerised environment.