Avoid holding writeable fd to a loop device that is being mounted. In
the hardened configurations (CONFIG_BLK_DEV_WRITE_MOUNTED = n) the
kernel wants to make sure nobody else has the block device writeably
open when mounting so this makes the mount fail.
Reported-by: JunChao Sun <sunjunchao2870@xxxxxxxxx>
Signed-off-by: Jan Kara <jack@xxxxxxx>
---
libmount/src/hook_loopdev.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c
index 8c8f7f218732..e2114b0cbebe 100644
--- a/libmount/src/hook_loopdev.c
+++ b/libmount/src/hook_loopdev.c
@@ -356,15 +356,19 @@ success:
*/
mnt_optlist_append_flags(ol, MS_RDONLY, cxt->map_linux);
- /* we have to keep the device open until mount(1),
- * otherwise it will be auto-cleared by kernel
+ /*
+ * We have to keep the device open until mount(1), otherwise it
+ * will be auto-cleared by kernel. However we don't want to
+ * keep writeable fd as kernel wants to block all writers to
+ * the device being mounted (in the more hardened
+ * configurations). So grab read-only fd instead.
*/
- hd->loopdev_fd = loopcxt_get_fd(&lc);
+ hd->loopdev_fd = open(lc.device, O_RDONLY | O_CLOEXEC);
if (hd->loopdev_fd < 0) {
- DBG(LOOP, ul_debugobj(cxt, "failed to get loopdev FD"));
+ DBG(LOOP,
+ ul_debugobj(cxt, "failed to reopen loopdev FD"));
rc = -errno;
- } else
- loopcxt_set_fd(&lc, -1, 0);
+ }
}
done:
loopcxt_deinit(&lc);
--
2.35.3
