From 704d5d305a4168e9720cfae510114d44aa52318b Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Thu, 24 Jun 2021 16:01:18 +0000
Subject: [PATCH] buildroot: mount /sys as read-only

This will prevent any modification of anything in `/sys`. It will
also prevent `udevadm tigger` to run, which needs /sys writeable.
This is a desired effect, since uevents are not delivered to the
contained environment, so `udevadm trigger` might hang.
---
 osbuild/buildroot.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/osbuild/buildroot.py b/osbuild/buildroot.py
index cd422b56..5834c712 100644
--- a/osbuild/buildroot.py
+++ b/osbuild/buildroot.py
@@ -177,7 +177,7 @@ class BuildRoot(contextlib.AbstractContextManager):
 
         # Setup API file-systems.
         mounts += ["--proc", "/proc"]
-        mounts += ["--bind", "/sys", "/sys"]
+        mounts += ["--ro-bind", "/sys", "/sys"]
         mounts += ["--ro-bind-try", "/sys/fs/selinux", "/sys/fs/selinux"]
 
         # There was a bug in mke2fs (fixed in versionv 1.45.7) where mkfs.ext4