image-info: ensure that directory is analysed as read-only

In some cases, e.g. when analysing an extracted `tar` image, it could
happen that the tools used by `image-info` to analyse the image could
modify its content (e.g. create new files which were originally not on
the image). This is especially an issue with `rpm`, which DB backend
seemed to create files in `/var/lib/rpm/` when run.

Ensure that the analysed directory can not be modified by bind-mounting
it as a read only, before the analysis.

Signed-off-by: Tomas Hozza <thozza@redhat.com>

tools/image-info

@@ -2202,12 +2202,19 @@ def analyse_image(image):
 
 
 def append_directory(report, tree):
-    if os.path.lexists(f"{tree}/ostree"):
-        os.makedirs(f"{tree}/etc", exist_ok=True)
-        with mount_at(f"{tree}/usr/etc", f"{tree}/etc", extra=["--bind"]):
-            append_filesystem(report, tree, is_ostree=True)
-    else:
-        append_filesystem(report, tree)
+    with tempfile.TemporaryDirectory(dir="/var/tmp") as tmpdir:
+        tree_ro = os.path.join(tmpdir, "root_ro")
+        os.makedirs(tree_ro)
+        # Make sure that the tools which analyse the directory in-place
+        # can not modify its content (e.g. create additional files).
+        # mount_at() always mounts the source as read-only!
+        with mount_at(tree, tree_ro, ["bind"]) as mountpoint:
+            if os.path.lexists(f"{tree}/ostree"):
+                os.makedirs(f"{tree}/etc", exist_ok=True)
+                with mount_at(f"{tree}/usr/etc", f"{tree}/etc", extra=["--bind"]):
+                    append_filesystem(report, tree_ro, is_ostree=True)
+            else:
+                append_filesystem(report, tree_ro)
 
 
 def append_ostree_repo(report, repo):