cmd/initContainer: Be aware of security hardened / or /etc

On new builds of GNOME OS [1], the host's / is mounted with 'nodev,...' and those flags are also inherited by /etc because it's not a separate mount point. This leads to the same problem with /etc/machine-id that was seen before with /var/lib/flatpak, /var/lib/systemd/coredump and /var/log/journal [2]. Therefore, use the same approach [2] to handle /etc/machine-id. [1] https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/718 [2] Commit 1cc9e07 containers@1cc9e07b7c36fe9f containers#1340 containers#911 containers#1354 Signed-off-by: Jordan Petridis <jordan@centricular.com>
alatiera · Aug 22, 2023 · 219f5b4 · 219f5b4
1 parent a0514cb
commit 219f5b4
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
@@ -52,7 +52,7 @@ var (
 		source        string
 		flags         string
 	}{
-		{"/etc/machine-id", "/run/host/etc/machine-id", "ro"},
+		{"/etc/machine-id", "/run/host/etc/machine-id", ""},
 		{"/run/libvirt", "/run/host/run/libvirt", ""},
 		{"/run/systemd/journal", "/run/host/run/systemd/journal", ""},
 		{"/run/systemd/resolve", "/run/host/run/systemd/resolve", ""},