From 6711d7ae99c50a9dca8e4e2e9e9989a8fa6c3f06 Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 12 Nov 2018 11:15:08 +0100 Subject: [PATCH] Don't allow writes to runtime files in /etc We mistakenly bind-mounted the runtime /usr/etc files read-write in /etc, which means that application could modify some parts of the runtimes (at least when using a per-user installed runtime). Fix this by using a --ro-bind. --- common/flatpak-run.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 0abca6d8..573ff9c8 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -2466,7 +2466,7 @@ flatpak_run_setup_base_argv (FlatpakBwrap *bwrap, } else { - flatpak_bwrap_add_args (bwrap, "--bind", src, dest, NULL); + flatpak_bwrap_add_args (bwrap, "--ro-bind", src, dest, NULL); } } }