runtime: virtcontainers: make rootfs image read-only

Improve security by making rootfs image read-only, nobody will be able to modify it from the guest. fixes #1916 Signed-off-by: Julio Montes <julio.montes@intel.com>
2025-06-25 15:02:45 +00:00 · 2021-07-22 09:57:23 -05:00 · 2021-07-22 09:57:23 -05:00 · 2859600a6f
commit 2859600a6f
parent 070590fb53
2 changed files with 2 additions and 0 deletions
--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
@ -138,6 +138,7 @@ func TestQemuAmd64AppendImage(t *testing.T) {
 			ID:       "mem0",
 			MemPath:  f.Name(),
 			Size:     (uint64)(imageStat.Size()),
+			ReadOnly: true,
 		},
 	}

--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@ -406,6 +406,7 @@ func (q *qemuArchBase) appendNvdimmImage(devices []govmmQemu.Device, path string
 		ID:       "mem0",
 		MemPath:  path,
 		Size:     (uint64)(imageStat.Size()),
+		ReadOnly: true,
 	}

 	devices = append(devices, object)