runtime: virtcontainers: make rootfs image read-only

Improve security by making rootfs image read-only, nobody will be able to modify it from the guest. fixes #1916 Signed-off-by: Julio Montes <julio.montes@intel.com>
2025-07-17 08:53:26 +00:00 · 2021-07-22 09:57:23 -05:00 · 2021-07-22 09:57:23 -05:00 · d3bab50496
commit d3bab50496
parent 6456cb282b
2 changed files with 2 additions and 0 deletions
--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
@ -153,6 +153,7 @@ func TestQemuAmd64AppendImage(t *testing.T) {
 			ID:       "mem0",
 			MemPath:  f.Name(),
 			Size:     (uint64)(imageStat.Size()),
+			ReadOnly: true,
 		},
 	}

--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@ -378,6 +378,7 @@ func (q *qemuArchBase) appendNvdimmImage(devices []govmmQemu.Device, path string
 		ID:       "mem0",
 		MemPath:  path,
 		Size:     (uint64)(imageStat.Size()),
+		ReadOnly: true,
 	}

 	devices = append(devices, object)