Merge pull request #341 from cgwalters/mount-boot-ro

install: Mount `/boot` readonly by default
2026-02-05 15:45:53 +01:00 · 2024-02-14 11:09:21 -05:00
parent 0b188ba965 89f739adb7
commit e1ef710002
2 changed files with 31 additions and 2 deletions
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -362,6 +362,15 @@ impl MountSpec {
            self.source, self.target, self.fstype, options
        )
    }
+
+    /// Append a mount option
+    pub(crate) fn push_option(&mut self, opt: &str) {
+        let options = self.options.get_or_insert_with(Default::default);
+        if !options.is_empty() {
+            options.push(',');
+        }
+        options.push_str(opt);
+    }
 }

 impl FromStr for MountSpec {
@@ -1308,13 +1317,18 @@ pub(crate) async fn install_to_filesystem(opts: InstallToFilesystemOpts) -> Resu
    tracing::debug!("Backing device: {backing_device}");

    let rootarg = format!("root={root_mount_spec}");
-    let boot = if let Some(spec) = fsopts.boot_mount_spec {
+    let mut boot = if let Some(spec) = fsopts.boot_mount_spec {
        Some(MountSpec::new(&spec, "/boot"))
    } else {
        boot_uuid
            .as_deref()
            .map(|boot_uuid| MountSpec::new_uuid_src(boot_uuid, "/boot"))
    };
+    // Ensure that we mount /boot readonly because it's really owned by bootc/ostree
+    // and we don't want e.g. apt/dnf trying to mutate it.
+    if let Some(boot) = boot.as_mut() {
+        boot.push_option("ro");
+    }
    // By default, we inject a boot= karg because things like FIPS compliance currently
    // require checking in the initramfs.
    let bootarg = boot.as_ref().map(|boot| format!("boot={}", &boot.source));
@@ -1354,3 +1368,13 @@ fn install_opts_serializable() {
    .unwrap();
    assert_eq!(c.block_opts.device, "/dev/vda");
 }
+
+#[test]
+fn test_mountspec() {
+    let mut ms = MountSpec::new("/dev/vda4", "/boot");
+    assert_eq!(ms.to_fstab(), "/dev/vda4 /boot auto defaults 0 0");
+    ms.push_option("ro");
+    assert_eq!(ms.to_fstab(), "/dev/vda4 /boot auto ro 0 0");
+    ms.push_option("relatime");
+    assert_eq!(ms.to_fstab(), "/dev/vda4 /boot auto ro,relatime 0 0");
+}
--- a/lib/src/install/baseline.rs
+++ b/lib/src/install/baseline.rs
@@ -348,7 +348,12 @@ pub(crate) fn install_create_rootfs(
    let rootarg = format!("root=UUID={root_uuid}");
    let bootsrc = format!("UUID={boot_uuid}");
    let bootarg = format!("boot={bootsrc}");
-    let boot = MountSpec::new(bootsrc.as_str(), "/boot");
+    let boot = MountSpec {
+        source: bootsrc.into(),
+        target: "/boot".into(),
+        fstype: MountSpec::AUTO.into(),
+        options: Some("ro".into()),
+    };
    let kargs = root_blockdev_kargs
        .into_iter()
        .flatten()