From 64984667adf1e45fc5ebced89055760e5a7a9dde Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Tue, 19 Mar 2019 16:42:18 -0600
Subject: [PATCH 1/2] virtcontainers: improve security and mount the rootfs as
 read-only fs

Mounting the rootfs as read-only fs the binaries can't be modified.

fixes #1389

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 virtcontainers/qemu_amd64.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/virtcontainers/qemu_amd64.go b/virtcontainers/qemu_amd64.go
index 7a34270876..e09a66ab09 100644
--- a/virtcontainers/qemu_amd64.go
+++ b/virtcontainers/qemu_amd64.go
@@ -32,7 +32,7 @@ var qemuPaths = map[string]string{
 
 var kernelRootParams = []Param{
 	{"root", "/dev/pmem0p1"},
-	{"rootflags", "dax,data=ordered,errors=remount-ro rw"},
+	{"rootflags", "dax,data=ordered,errors=remount-ro ro"},
 	{"rootfstype", "ext4"},
 }
 

From 9b73900ba6d4c4c3a43ce1746c16ddfddf8fb5bb Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Wed, 20 Mar 2019 09:00:23 -0600
Subject: [PATCH 2/2] katautils: mask systemd-random-seed

systemd-random-seed service fails if the rootfs is a read-only fs.
systemd-random-seed restores the random seed of the system at early
boot and saves it at shutdown, since kata containers are one boot machines
this service is not needed.

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 pkg/katautils/create.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/katautils/create.go b/pkg/katautils/create.go
index 5283b31239..63fab5c859 100644
--- a/pkg/katautils/create.go
+++ b/pkg/katautils/create.go
@@ -93,6 +93,11 @@ var noTraceKernelParam = []vc.Param{
 		Key:   "systemd.mask",
 		Value: "tmp.mount",
 	},
+	// No random seed
+	{
+		Key:   "systemd.mask",
+		Value: "systemd-random-seed.service",
+	},
 }
 
 func getKernelParams(needSystemd, trace bool) []vc.Param {