From b586e7d693d39247d854b03c15610173b7a42f61 Mon Sep 17 00:00:00 2001
From: Daniel Golle <daniel@makrotopia.org>
Date: Mon, 13 Jul 2020 09:57:05 +0100
Subject: [PATCH] jail: don't make mount source read-only

From mount(2):
Specifying mountflags as:
  MS_REMOUNT | MS_BIND | MS_RDONLY
will make access through this mountpoint read-only, without affecting
other mount points.
Hence use MS_BIND when remounting container rootfs read-only.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 jail/jail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/jail/jail.c b/jail/jail.c
index e8abd8a..aa6288e 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -533,7 +533,7 @@ static int build_jail_fs(void)
 		mount("sysfs", "/sys", "sysfs", MS_NOATIME | MS_NODEV | MS_NOEXEC | MS_NOSUID | MS_RDONLY, 0);
 	}
 	if (opts.ronly)
-		mount(NULL, "/", NULL, MS_RDONLY | MS_REMOUNT, 0);
+		mount(NULL, "/", NULL, MS_REMOUNT | MS_BIND | MS_RDONLY, 0);
 
 	return 0;
 }
-- 
2.30.2