meta-lxatac-software: distro: tacos: make /srv on the rootfs read-only

We do not want any service to write to /srv (in the root filesystem) before the /srv partition is set up and mounted. Make the directory read only to make sure of that. Signed-off-by: Leonard Göhrs <l.goehrs@pengutronix.de>
linux-automation · Nov 12, 2024 · 9b47447 · 9b47447
1 parent 8ac553f
commit 9b47447
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/meta-lxatac-software/conf/distro/tacos.conf b/meta-lxatac-software/conf/distro/tacos.conf
@@ -40,6 +40,10 @@ USERADD_ERROR_DYNAMIC = "error"
 USERADD_UID_TABLES = "files/passwd"
 USERADD_GID_TABLES = "files/group"
 
+# Mark /srv in the root filesystem as read only to prevent anyone from writing
+# to it before the /srv partition is mounted.
+FILESYSTEM_PERMS_TABLES += "files/fs-perms-srv-ro.txt"
+
 # do not include libc variant name in tmp directory
 TCLIBCAPPEND = ""
 

diff --git a/meta-lxatac-software/files/fs-perms-srv-ro.txt b/meta-lxatac-software/files/fs-perms-srv-ro.txt
@@ -0,0 +1,5 @@
+# This matches the original fs-perms.txt.
+# The only difference is that write permissions for the owner were removed
+# (0755 -> 0555) to prevent anyone from writing to the rootfs /srv instead of
+# the /srv partition.
+/srv				0555	root	root	false - - -