From 2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Wed, 19 Sep 2018 13:13:54 -0400
Subject: Bind Mounts should be mounted read-only when in read-only mode

We don't want to allow users to write to /etc/resolv.conf or /etc/hosts if in read
only mode.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>

Closes: #1510
Approved by: TomSweeneyRedHat
---
 libpod/container_internal_linux.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'libpod/container_internal_linux.go')

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c0912dc0d..f9e161cb3 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -107,7 +107,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			Type:        "bind",
 			Source:      srcPath,
 			Destination: dstPath,
-			Options:     []string{"rw", "bind", "private"},
+			Options:     []string{"bind", "private"},
+		}
+		if c.IsReadOnly() {
+			newMount.Options = append(newMount.Options, "ro")
 		}
 		if !MountExists(g.Mounts(), dstPath) {
 			g.AddMount(newMount)
-- 
cgit v1.2.3-54-g00ecf