diff --git a/Makefile-switchroot.am b/Makefile-switchroot.am index 9a1d4137..a1d70f7d 100644 --- a/Makefile-switchroot.am +++ b/Makefile-switchroot.am @@ -50,7 +50,8 @@ CLEANFILES += ostree-prepare-root else ostree_boot_PROGRAMS += ostree-prepare-root ostree_prepare_root_CFLAGS += $(AM_CFLAGS) -Isrc/switchroot -I$(srcdir)/src/libostree -I$(srcdir)/src/libotcore -I$(srcdir)/src/libotutil -ostree_prepare_root_SOURCES += src/switchroot/ostree-prepare-root.c +ostree_prepare_root_SOURCES += src/switchroot/ostree-prepare-root.c \ + src/libostree/ostree-linuxfsutil.c ostree_prepare_root_CPPFLAGS += $(OT_INTERNAL_GIO_UNIX_CFLAGS) $(OT_DEP_CRYPTO_CFLAGS) -I $(srcdir)/libglnx ostree_prepare_root_LDADD += $(AM_LDFLAGS) $(OT_INTERNAL_GIO_UNIX_LIBS) $(OT_DEP_CRYPTO_LIBS) libotcore.la libotutil.la libglnx.la endif # BUILDOPT_USE_STATIC_COMPILER diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index 172ef57f..9659adb3 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -98,6 +98,7 @@ #include #endif +#include "ostree-linuxfsutil.h" #include "ostree-mount-util.h" static bool @@ -775,6 +776,22 @@ main (int argc, char *argv[]) /* Unmount /sysroot */ if (umount2 ("sysroot", MNT_DETACH) < 0) err (EXIT_FAILURE, "failed to unmount /sysroot"); + + /* Attempt to make the leftover empty /sysroot immutable. + * This is to prevent accidental modification when root.transient is enabled. + */ + do + { + g_autoptr (GError) local_error = NULL; + glnx_autofd int fd = -1; + if (!glnx_opendirat (AT_FDCWD, "sysroot", TRUE, &fd, &local_error)) + err (EXIT_FAILURE, "failed to open /sysroot"); + /* It's funny that we need to first touch it to move it to upper layer */ + if (futimens (fd, NULL) < 0) + break; + if (!_ostree_linuxfs_fd_alter_immutable_flag (fd, TRUE, NULL, &local_error)) + break; + } while (FALSE); } else if (sysroot_readonly) {