From d3bab50496c726711b3cb902a99a500b15888adf Mon Sep 17 00:00:00 2001
From: Julio Montes <julio.montes@intel.com>
Date: Thu, 22 Jul 2021 09:57:23 -0500
Subject: [PATCH] runtime: virtcontainers: make rootfs image read-only

Improve security by making rootfs image read-only, nobody
will be able to modify it from the guest.

fixes #1916

Signed-off-by: Julio Montes <julio.montes@intel.com>
---
 src/runtime/virtcontainers/qemu_amd64_test.go | 1 +
 src/runtime/virtcontainers/qemu_arch_base.go  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/runtime/virtcontainers/qemu_amd64_test.go b/src/runtime/virtcontainers/qemu_amd64_test.go
index 1d321e9353..ccee1ac216 100644
--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
@@ -153,6 +153,7 @@ func TestQemuAmd64AppendImage(t *testing.T) {
 			ID:       "mem0",
 			MemPath:  f.Name(),
 			Size:     (uint64)(imageStat.Size()),
+			ReadOnly: true,
 		},
 	}
 
diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go
index d2ffac4a1d..43684d2c41 100644
--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@@ -378,6 +378,7 @@ func (q *qemuArchBase) appendNvdimmImage(devices []govmmQemu.Device, path string
 		ID:       "mem0",
 		MemPath:  path,
 		Size:     (uint64)(imageStat.Size()),
+		ReadOnly: true,
 	}
 
 	devices = append(devices, object)