make.sh: Create all bind-mounts as read-only where possible

This way, the build environment can no longer modify any source any more. This was not a huge integrity problem before as Git would have shown differences, but it might cause damage to the build system which need to manually be recovered. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-25 10:22:59 +02:00 · 2024-07-05 08:21:10 +00:00
parent daa17f2e24
commit 27b8db2421
1 changed files with 9 additions and 9 deletions
--- a/make.sh
+++ b/make.sh
@@ -480,15 +480,15 @@ prepareenv() {
 		-t tmpfs -o "nosuid,nodev,strictatime,size=4G,nr_inodes=1M,mode=1777"

 	# Make all sources and proc available under lfs build
-	mount --bind /sys					"${BUILD_DIR}/sys"
-	mount --bind "${BASEDIR}/cache"		"${BUILD_DIR}/usr/src/cache"
-	mount --bind "${BASEDIR}/config"	"${BUILD_DIR}/usr/src/config"
-	mount --bind "${BASEDIR}/doc"		"${BUILD_DIR}/usr/src/doc"
-	mount --bind "${BASEDIR}/html"		"${BUILD_DIR}/usr/src/html"
-	mount --bind "${BASEDIR}/langs"		"${BUILD_DIR}/usr/src/langs"
-	mount --bind "${BASEDIR}/lfs"		"${BUILD_DIR}/usr/src/lfs"
-	mount --bind "${BASEDIR}/log"		"${BUILD_DIR}/usr/src/log"
-	mount --bind "${BASEDIR}/src"		"${BUILD_DIR}/usr/src/src"
+	mount --bind     	/sys					"${BUILD_DIR}/sys"
+	mount --bind -o ro	"${BASEDIR}/cache"		"${BUILD_DIR}/usr/src/cache"
+	mount --bind -o ro	"${BASEDIR}/config"		"${BUILD_DIR}/usr/src/config"
+	mount --bind -o ro	"${BASEDIR}/doc"		"${BUILD_DIR}/usr/src/doc"
+	mount --bind -o ro	"${BASEDIR}/html"		"${BUILD_DIR}/usr/src/html"
+	mount --bind -o ro	"${BASEDIR}/langs"		"${BUILD_DIR}/usr/src/langs"
+	mount --bind -o ro	"${BASEDIR}/lfs"		"${BUILD_DIR}/usr/src/lfs"
+	mount --bind    	"${BASEDIR}/log"		"${BUILD_DIR}/usr/src/log"
+	mount --bind -o ro	"${BASEDIR}/src"		"${BUILD_DIR}/usr/src/src"

 	# Mount the ccache
 	mount --bind "${CCACHE_DIR}"		"${BUILD_DIR}/usr/src/ccache"