ryantimwilson / rpms / systemd

Forked from rpms/systemd a month ago
Clone
ac3a84
From ba5d26d85d0c4250b10a46a5c9cd3a3e1f0ce43b Mon Sep 17 00:00:00 2001
ac3a84
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
ac3a84
Date: Fri, 4 Nov 2022 19:36:31 +0100
ac3a84
Subject: [PATCH] loop-util: open lock fd read-only
ac3a84
ac3a84
flock(2) works with file descriptors opened with O_RDONLY.
ac3a84
ac3a84
This affects SELinux systems where access to block devices is quite
ac3a84
restricted to avoid bypasses on filesystem objects.
ac3a84
ac3a84
(cherry picked from commit 3e6b7d2626de9c0faf8b34b2629e8d6d8fa85a7d)
ac3a84
ac3a84
Related #2138081
ac3a84
---
ac3a84
 src/shared/loop-util.c | 2 +-
ac3a84
 1 file changed, 1 insertion(+), 1 deletion(-)
ac3a84
ac3a84
diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
ac3a84
index 731ce29112..fb7e80b1b5 100644
ac3a84
--- a/src/shared/loop-util.c
ac3a84
+++ b/src/shared/loop-util.c
ac3a84
@@ -77,7 +77,7 @@ static int open_lock_fd(int primary_fd, int operation) {
ac3a84
         assert(primary_fd >= 0);
ac3a84
         assert(IN_SET(operation & ~LOCK_NB, LOCK_SH, LOCK_EX));
ac3a84
 
ac3a84
-        lock_fd = fd_reopen(primary_fd, O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
ac3a84
+        lock_fd = fd_reopen(primary_fd, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
ac3a84
         if (lock_fd < 0)
ac3a84
                 return lock_fd;
ac3a84