diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator index d20186de0d..cc8e418d79 100755 --- a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator +++ b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator @@ -35,8 +35,9 @@ fi mk_mount() { local mount_pt="${1}"; shift local label="${1}"; shift - local path="/dev/disk/by-label/${label}" + local options="${1}"; shift + local path="/dev/disk/by-label/${label}" local unit_name=$(systemd-escape -p ${mount_pt} --suffix=mount) eval $(udevadm info --query property --export "${path}") @@ -61,15 +62,20 @@ After=systemd-fsck@${device}.service [Mount] What=${path} Where=${mount_pt} +Options=${options} EOF add_wants "${unit_name}" } - -# Don't create mount units for /boot or /boot/efi on live systems. +# Don't create mount units for /boot on live systems. # ConditionPathExists won't work here because conditions don't affect # the dependency on the underlying device unit. if [ ! -f /run/ostree-live ]; then - mk_mount /boot boot + # We mount read-only by default mostly to protect + # against accidental damage. Only a few things + # owned by CoreOS should be touching /boot or the ESP. + # Use nodev,nosuid because some hardening guides want + # that even though it's of minimal value. + mk_mount /boot boot ro,nodev,nosuid fi diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro index 4f2dfdd7f0..1a777ae4b2 100755 --- a/tests/kola/misc-ro +++ b/tests/kola/misc-ro @@ -51,10 +51,15 @@ if ip link | grep -o -e " eth[0-9]:"; then fi ok nic naming -if test -w /sysroot; then - fatal "found writable /sysroot" -fi -ok sysroot ro +for part in /sysroot /boot; do + if ! findmnt -n -o options ${part} | grep -q "ro,"; then + fatal "${part} is missing ro option" + fi + if test -w "${part}" || touch "${part}/somefile" 2>/dev/null; then + fatal "${part} is writable" + fi +done +ok read-only partitions if ! lsattr -d / | grep -qe '--i--'; then fatal "missing immutable bit on /"