Support recursively-readonly mounts with mount_setattr (kernel 5.12)

[AkihiroSuda]

The current OCI mount with options: ["rbind", "ro"] is (surprisingly) not recursively read-only.

mount_setattr(2) introduced in kernel 5.12 can be used for creating recursively-readonly bind mounts:

struct mount_attr attr = {
  .attr_set   = MOUNT_ATTR_RDONLY,
};
rc = mount_setattr(-1, "/mnt/ro", AT_RECURSIVE, &attr, sizeof(attr));

runc implementation will need runtime spec PR to be approved: opencontainers/runtime-spec#1090

[cyphar]

Yes please! Though it should be noted this is technically going to be a behavioural change in runc, because our current implementation (unless I'm mistaken) doesn't currently make mounts read-only recursively. (Funnily enough, mount_settattr(2) partially came out of discussions where I mentioned that MS_REC|MS_RDONLY|MS_BIND|MS_REMOUNT doesn't do what you'd expect -- because we were doing that in runc.)

[AkihiroSuda]

Though it should be noted this is technically going to be a behavioural change in runc

I was thinking of keeping the current ["rbind","ro"] behavior as-is (i.e., recursively writable), and adding new JSON fields for MOUNT_ATTR_RDONLY: opencontainers/runtime-spec#1090

[cyphar]

Right, but I was thinking of readonly: true in particular -- currently that doesn't recursively mount the root as read-only, and it probably should (with the exception of /proc).

[AkihiroSuda]

Moving to v1.2 milestone, waiting for opencontainers/runtime-spec#1090 (comment)

[AkihiroSuda]

Opened PR #3272