From 64984667adf1e45fc5ebced89055760e5a7a9dde Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Tue, 19 Mar 2019 16:42:18 -0600
Subject: [PATCH] virtcontainers: improve security and mount the rootfs as
 read-only fs

Mounting the rootfs as read-only fs the binaries can't be modified.

fixes #1389

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 virtcontainers/qemu_amd64.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/virtcontainers/qemu_amd64.go b/virtcontainers/qemu_amd64.go
index 7a34270876..e09a66ab09 100644
--- a/virtcontainers/qemu_amd64.go
+++ b/virtcontainers/qemu_amd64.go
@@ -32,7 +32,7 @@ var qemuPaths = map[string]string{
 
 var kernelRootParams = []Param{
 	{"root", "/dev/pmem0p1"},
-	{"rootflags", "dax,data=ordered,errors=remount-ro rw"},
+	{"rootflags", "dax,data=ordered,errors=remount-ro ro"},
 	{"rootfstype", "ext4"},
 }