From ff3953efe1aec2229273cd59e7d35a540de0e476 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Amadeusz=20=C5=BBo=C5=82nowski?= <aidecoe@aidecoe.name>

Date: Thu, 26 Jul 2012 16:44:09 +0200

Subject: [PATCH] ro_mnt - option at build time to force ro mount of / and

 /usr

---

 dracut.conf                      | 3 +++

 dracut.conf.5.asc                | 3 +++

 dracut.sh                        | 6 +++++-

 modules.d/99base/module-setup.sh | 3 +++

 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/dracut.conf b/dracut.conf

index f47d571..f912acc 100644

--- a/dracut.conf

+++ b/dracut.conf

@@ -43,6 +43,9 @@ lvmconf="yes"

 # inhibit installation of any fsck tools

 #nofscks="yes"

+# mount / and /usr read-only by default

+#ro_mnt="no"

+

 # set the directory for temporary files

 # default: /var/tmp

 #tmpdir=/tmp

diff --git a/dracut.conf.5.asc b/dracut.conf.5.asc

index d17477d..89bbf61 100644

--- a/dracut.conf.5.asc

+++ b/dracut.conf.5.asc

@@ -97,6 +97,9 @@ If chrooted to another root other than the real root device, use --fstab and pro

 *nofscks=*"__{yes|no}__"::

     If specified, inhibit installation of any fsck tools.

+*ro_mnt*

+    Mount _/_ and _/usr_ read-only by default.

+

 *kernel_only=*"__{yes|no}__"::

     Only install kernel drivers and firmware files. (default=no)

diff --git a/dracut.sh b/dracut.sh

index d8b3354..eee829e 100755

--- a/dracut.sh

+++ b/dracut.sh

@@ -101,6 +101,7 @@ Creates initial ramdisk images for preloading modules

   --nolvmconf           Do not include local /etc/lvm/lvm.conf

   --fscks [LIST]        Add a space-separated list of fsck helpers.

   --nofscks             Inhibit installation of any fsck helpers.

+  --ro-mnt              Mount / and /usr read-only by default.

   -h, --help            This message

   --debug               Output debug information of the build process

   --profile             Output profile information of the build process

@@ -261,6 +262,7 @@ TEMP=$(unset POSIXLY_CORRECT; getopt \

     --long add-fstab: \

     --long mount: \

     --long nofscks: \

+    --long ro-mnt \

     --long kmoddir: \

     --long conf: \

     --long confdir: \

@@ -326,6 +328,7 @@ while :; do

         --add-fstab)   push add_fstab_l          "$2"; shift;;

         --mount)       push fstab_lines          "$2"; shift;;

         --nofscks)     nofscks_l="yes";;

+        --ro-mnt)      ro_mnt_l="yes";;

         -k|--kmoddir)  drivers_dir_l="$2"; shift;;

         -c|--conf)     conffile="$2"; shift;;

         --confdir)     confdir="$2"; shift;;

@@ -558,6 +561,7 @@ stdloglvl=$((stdloglvl + verbosity_mod_l))

 [[ $compress_l ]] && compress=$compress_l

 [[ $show_modules_l ]] && show_modules=$show_modules_l

 [[ $nofscks_l ]] && nofscks="yes"

+[[ $ro_mnt_l ]] && ro_mnt="yes"

 # eliminate IFS hackery when messing with fw_dir

 fw_dir=${fw_dir//:/ }

@@ -779,7 +783,7 @@ fi

 export initdir dracutbasedir dracutmodules drivers \

     fw_dir drivers_dir debug no_kernel kernel_only \

     add_drivers omit_drivers mdadmconf lvmconf filesystems \

-    use_fstab fstab_lines libdirs fscks nofscks \

+    use_fstab fstab_lines libdirs fscks nofscks ro_mnt \

     stdloglvl sysloglvl fileloglvl kmsgloglvl logfile \

     debug host_fs_types host_devs sshkey add_fstab \

     DRACUT_VERSION udevdir systemdutildir systemdsystemunitdir \

diff --git a/modules.d/99base/module-setup.sh b/modules.d/99base/module-setup.sh

index f20ca1a..dde1285 100755

--- a/modules.d/99base/module-setup.sh

+++ b/modules.d/99base/module-setup.sh

@@ -50,6 +50,9 @@ install() {

     fi

     ln -fs /proc/self/mounts "$initdir/etc/mtab"

+    if [[ $ro_mnt = yes ]]; then

+        echo ro >> "${initdir}/etc/cmdline.d/base.conf"

+    fi

     if [ -e /etc/os-release ]; then

         . /etc/os-release