cmd/initContainer: Be aware of security hardened / or /etc

On new builds of GNOME OS [1], the host's / is mounted with 'nodev,...' and those flags are also inherited by /etc because it's not a separate mount point. This leads to the same problem with /etc/machine-id that was seen before with /var/lib/flatpak, /var/lib/systemd/coredump and /var/log/journal [2]. Therefore, use the same approach [2] to handle /etc/machine-id. [1] https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/718 [2] Commit 1cc9e07b7c https://github.com/containers/toolbox/commit/1cc9e07b7c36fe9f https://github.com/containers/toolbox/pull/1340 https://github.com/containers/toolbox/issues/911 https://github.com/containers/toolbox/pull/1354 Signed-off-by: Jordan Petridis <jordan@centricular.com>
2023-08-19 07:40:30 +03:00 · 2023-08-19 07:40:30 +03:00 · 219f5b4be4
commit 219f5b4be4
parent a0514cba12
1 changed files with 1 additions and 1 deletions
--- a/src/cmd/initContainer.go
+++ b/src/cmd/initContainer.go
@ -52,7 +52,7 @@ var (
 		source        string
 		flags         string
 	}{
-		{"/etc/machine-id", "/run/host/etc/machine-id", "ro"},
+		{"/etc/machine-id", "/run/host/etc/machine-id", ""},
 		{"/run/libvirt", "/run/host/run/libvirt", ""},
 		{"/run/systemd/journal", "/run/host/run/systemd/journal", ""},
 		{"/run/systemd/resolve", "/run/host/run/systemd/resolve", ""},