app: remount root readonly

This does nothing for security, but should help avoid hiding bugs of programs developed in a hakurei container.

Signed-off-by: Ophestra <cat@gensokyo.uk>

internal/app/app_pd_linux_test.go

@@ -2,6 +2,7 @@ package app_test
 
 import (
 	"os"
+	"syscall"
 
 	"hakurei.app/container"
 	"hakurei.app/container/seccomp"
@@ -56,7 +57,8 @@ var testCasesPd = []sealTestCase{
 				Bind("/tmp/hakurei.1971/tmpdir/0", "/tmp", container.BindWritable).
 				Bind("/home/chronos", "/home/chronos", container.BindWritable).
 				Place("/etc/passwd", []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
-				Place("/etc/group", []byte("hakurei:x:65534:\n")),
+				Place("/etc/group", []byte("hakurei:x:65534:\n")).
+				Remount("/", syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,
@@ -195,7 +197,8 @@ var testCasesPd = []sealTestCase{
 				Bind("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse", "/run/user/65534/pulse/native", 0).
 				Place(hst.Tmp+"/pulse-cookie", nil).
 				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/bus", "/run/user/65534/bus", 0).
-				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0),
+				Bind("/tmp/hakurei.1971/ebf083d1b175911782d413369b64ce7c/system_bus_socket", "/run/dbus/system_bus_socket", 0).
+				Remount("/", syscall.MS_RDONLY),
 			SeccompPresets: seccomp.PresetExt | seccomp.PresetDenyDevel,
 			HostNet:        true,
 			RetainSession:  true,