1545356001 Q * Aiken Ping timeout: 480 seconds
1545356499 J * Aiken ~Aiken@2001:44b8:2168:1000:944b:49ff:feec:298
1545367112 Q * any0n Ping timeout: 480 seconds
1545367222 J * any0n ~k@4JHAABBZY.tor-irc.dnsbl.oftc.net
1545370813 M * Bertl_oO  off to bed now ... have a good one everyone!
1545370814 N * Bertl_oO Bertl_zZ
1545379780 J * hijacker ~nikolay@149.235.255.3
1545387800 M * thithib Bertl_zZ: you may also be interested in that: https://github.com/clipos-archive/src_platform_clip-patches/blob/master/1520_bind_mount_readonly.patch
1545388259 Q * transacid Ping timeout: 480 seconds
1545388461 J * transacid ~transacid@transacid.de
1545388837 M * AlexanderS thithib: Oh, readonly bind mounts are currenty writeable? That might be a security issue.
1545389065 N * Bertl_zZ Bertl
1545389070 M * Bertl  morning folks!
1545389692 M * Bertl upstream decided that read only bind mounts are a two step process
1545389713 M * Bertl i.e. you do the loopback mount (fs bind mount) and then you remount it read-only
1545389749 M * Bertl this is what the 'mount' utility does when you specify ro to a bind mount
1545389775 M * Bertl (note that this should work just fine without the linked patch)
1545389850 M * Bertl there is an argument to have that this could create a security issue for the brief moment the bind is created but still rw till the remount,ro kicks in
1545390036 M * AlexanderS I just tried a "mount -o bind,ro" in the host and the mount is writable. :-/ (But I have a ro bind mount from the host to a guest, that is working fine.)
1545390103 M * Bertl try mount --bind -o ro
1545390139 M * AlexanderS mkdir -p /mnt/test; mount --bind -o ro /tmp /mnt/test; date > /mnt/test/foobar; umount /mnt/test; cat /tmp/foobar
1545390142 M * AlexanderS Same result.
1545390183 M * Bertl can you check with strace what this mount actually does?
1545390256 M * AlexanderS Sure, one momemt.
1545390263 M * Bertl it might be that we indeed missed this hunk, but I wonder how it would work for a host/guest mount in that case :)
1545390313 M * Bertl I'd expect something like:
1545390318 M * Bertl mount("/tmp", "/mnt/test", 0x12871b0, MS_MGC_VAL|MS_RDONLY|MS_BIND, NULL) = 0
1545390318 M * Bertl mount("none", "/mnt/test", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
1545390455 M * AlexanderS http://sprunge.us/at3kbW
1545390483 M * AlexanderS It is only doing this: mount("/tmp", "/mnt/test", 0x14abff0, MS_MGC_VAL|MS_RDONLY|MS_BIND, NULL) = 0
1545390494 M * Bertl what distro is that?
1545390509 M * Bertl i.e. where does the mount utility come from?
1545390530 M * AlexanderS Debian GNU/Linux 8.11 (jessie)
1545390556 M * Bertl which version of util-linux do they use? (mount --version)
1545390603 M * AlexanderS "mount from util-linux 2.25.2 (libmount 2.25.0: selinux, assert, debug)"
1545390691 M * Bertl hmm, that's from 2014 or so, IIRC
1545390708 M * Bertl so might be worth updating :)
1545390728 M * AlexanderS Yes, it's on ny todo list...
1545390733 M * Bertl anyway, please check on a non Linux-VServer kernel if the behavior is different
1545390987 M * AlexanderS Hmm, same behaviour on a stock debian jessie kernel. Okay, not a linux-vserver bug.
1545391098 M * Bertl we can consider it a missing feature and I do not really mind adding it (back) if there are no other implications (which needs to be investigted)
1545391159 M * AlexanderS Ah... "mount -o bind /tmp /mnt/test; mount -o remount,ro,bind /mnt/test" works.
1545391184 M * Bertl yes, that is what recent util-linux does :)
1545391209 M * Bertl (and util-vserver too as it seems :)
1545393542 M * Bertl  off for now ... bbl
1545393543 N * Bertl Bertl_oO
1545394950 Q * Aiken Remote host closed the connection
1545399577 M * thithib yes, and the hunk I linked above makes it so you don't need the remount
1545408784 Q * hijacker 
1545419264 J * Aiken ~Aiken@b951.h.jbmb.net
1545423541 Q * obeardly Ping timeout: 480 seconds
1545424066 J * obeardly ~obeardly@2603:3011:1661:0:9657:a5ff:feae:1552
1545431825 Q * obeardly Quit: Leaving
1545435988 J * obeardly ~obeardly@2603:3011:1661:0:9657:a5ff:feae:1552