container/ops: mount dev readonly

There is usually no good reason to write to /dev. This however doesn't work in internal/app because FilesystemConfig supplied by ContainerConfig might add entries to /dev, so internal/app follows DevWritable with Remount instead. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-08-03 19:18:53 +09:00
parent 7b416d47dc
commit 38245559dc
10 changed files with 36 additions and 15 deletions
--- a/container/container_test.go
+++ b/container/container_test.go
@@ -74,7 +74,7 @@ var containerTestCases = []struct {
 		new(container.Ops).
 			Dev("/dev", true),
 		[]*vfs.MountInfoEntry{
-			ent("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
@@ -90,7 +90,7 @@ var containerTestCases = []struct {
 		new(container.Ops).
 			Dev("/dev", false),
 		[]*vfs.MountInfoEntry{
-			ent("/", "/dev", "rw,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
+			ent("/", "/dev", "ro,nosuid,nodev,relatime", "tmpfs", "devtmpfs", ignore),
 			ent("/null", "/dev/null", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/zero", "/dev/zero", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),
 			ent("/full", "/dev/full", "rw,nosuid", "devtmpfs", "devtmpfs", ignore),