From 12b60c4088d9163f756472e7d8eab2ab321fe287 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Fri, 2 Jul 2021 09:26:20 +1000
Subject: [PATCH] Mount /sys RO

As noted inline, this works around potential issues by being a strong
indication you are in a container (e.g. [1]).  Since nothing should be
changing anything on the host/build system, this is a generically
safer way to operate.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1975588

Change-Id: Ic6802c4ffc2e825f129af10717860a2d1770fe80
---
 .../debian-minimal/root.d/75-debian-minimal-baseinstall  | 2 +-
 .../elements/ramdisk/init.d/10-start-base-system         | 2 +-
 .../ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall  | 2 +-
 .../root.d/75-ubuntu-minimal-baseinstall                 | 2 +-
 .../elements/yum-minimal/root.d/08-yum-chroot            | 4 +++-
 .../elements/zypper-minimal/root.d/08-zypper-chroot      | 2 +-
 diskimage_builder/lib/common-functions                   | 9 ++++++++-
 releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml        | 6 ++++++
 8 files changed, 22 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml

diff --git a/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall b/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
index 9ffc53fd..c536bc95 100755
--- a/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
+++ b/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
@@ -48,7 +48,7 @@ function apt_sources_write {
 }
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get"
diff --git a/diskimage_builder/elements/ramdisk/init.d/10-start-base-system b/diskimage_builder/elements/ramdisk/init.d/10-start-base-system
index 2fbffe1c..99f9d46a 100644
--- a/diskimage_builder/elements/ramdisk/init.d/10-start-base-system
+++ b/diskimage_builder/elements/ramdisk/init.d/10-start-base-system
@@ -2,7 +2,7 @@ mkdir -p /proc /sys /dev /boot /etc /mnt /lib/modules
 
 mount -t proc proc /proc
 
-mount -t sysfs none /sys
+mount -o ro -t sysfs none /sys
 
 UDEVD=
 if [ -x "/bin/systemd-udevd" ]; then
diff --git a/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall b/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
index 082146cc..eef2005b 100755
--- a/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
+++ b/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
@@ -41,7 +41,7 @@ done
 
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
diff --git a/diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall b/diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall
index 808657db..b6b8fd45 100755
--- a/diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall
+++ b/diskimage_builder/elements/ubuntu-systemd-container/root.d/75-ubuntu-minimal-baseinstall
@@ -30,7 +30,7 @@ deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE-security ${DIB_DEBIAN_COMPONENTS//,/ }
 EOF"
 
 sudo mount -t proc none $TARGET_ROOT/proc
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 trap "sudo umount $TARGET_ROOT/proc; sudo umount $TARGET_ROOT/sys" EXIT
 
 apt_get="sudo chroot $TARGET_ROOT /usr/bin/apt-get" # dib-lint: safe_sudo
diff --git a/diskimage_builder/elements/yum-minimal/root.d/08-yum-chroot b/diskimage_builder/elements/yum-minimal/root.d/08-yum-chroot
index f7e33adc..e3f6ac15 100755
--- a/diskimage_builder/elements/yum-minimal/root.d/08-yum-chroot
+++ b/diskimage_builder/elements/yum-minimal/root.d/08-yum-chroot
@@ -256,7 +256,9 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
 sudo mount -t proc none $TARGET_ROOT/proc
 sudo mount --bind /dev $TARGET_ROOT/dev
 sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
-sudo mount -t sysfs none $TARGET_ROOT/sys
+# Mounting /sys as RO indicates to various systemd things
+# that we are in a container
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 
 # initalize rpmdb
 sudo mkdir -p $TARGET_ROOT/var/lib/rpm
diff --git a/diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot b/diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot
index 4a75bba4..e1213ed5 100755
--- a/diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot
+++ b/diskimage_builder/elements/zypper-minimal/root.d/08-zypper-chroot
@@ -96,7 +96,7 @@ sudo mkdir -p $TARGET_ROOT/proc $TARGET_ROOT/dev $TARGET_ROOT/sys
 sudo mount -t proc none $TARGET_ROOT/proc
 sudo mount --bind /dev $TARGET_ROOT/dev
 sudo mount -t devpts $(mount_dev_pts_options) devpts $TARGET_ROOT/dev/pts
-sudo mount -t sysfs none $TARGET_ROOT/sys
+sudo mount -o ro -t sysfs none $TARGET_ROOT/sys
 
 # Install filesystem, base and useful tools
 sudo zypper ${ZYPPER_TARGET_OPTS} install --no-recommends filesystem
diff --git a/diskimage_builder/lib/common-functions b/diskimage_builder/lib/common-functions
index daeb360a..0526237f 100644
--- a/diskimage_builder/lib/common-functions
+++ b/diskimage_builder/lib/common-functions
@@ -404,7 +404,14 @@ function mount_proc_dev_sys () {
     sudo mount -t proc none $TMP_MOUNT_PATH/proc
     sudo mount --bind /dev $TMP_MOUNT_PATH/dev
     sudo mount -t devpts $(mount_dev_pts_options) devpts $TMP_MOUNT_PATH/dev/pts
-    sudo mount -t sysfs none $TMP_MOUNT_PATH/sys
+    # /sys is mounted RO inside non-privledged containers, thus
+    # mounting this RO in the chroot here is an indication to
+    # systemd/udev and other things that you are inside a container.
+    # This is generically safe and can help avoid issues where things
+    # we don't control like pre/post scripts try to do things that
+    # don't work when building inside a dib container like udevadm
+    # --settle calls, etc.
+    sudo mount -o ro -t sysfs none $TMP_MOUNT_PATH/sys
 }
 
 # Recursively unmount directories under a given directory DIR
diff --git a/releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml b/releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml
new file mode 100644
index 00000000..982182b0
--- /dev/null
+++ b/releasenotes/notes/sysfs-ro-b127a6df2d78e57c.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    Base installs now mount ``/sys`` read-only in chroot environemnts.
+    This is a good indication to various tools and scripts that that
+    they are running in a unprivileged/containerised environment.