From a78c5fb66511044b1e69e5c3fef4b72347376319 Mon Sep 17 00:00:00 2001
From: Michael Marineau <michael.marineau@coreos.com>
Date: Thu, 27 Mar 2014 21:52:40 -0700
Subject: [PATCH] fix(vm_image_util): Keep most partitions mounted read-only.

This ensures that the only partition being modified is OEM.
---
 build_library/vm_image_util.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index 2623ebc044..0f3c66eaa7 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -227,6 +227,19 @@ setup_disk_image() {
     if [[ $(_get_vm_opt BOOT_KERNEL) -eq 0 ]]; then
         sudo mv "${SYSLINUX_DIR}/default.cfg.A" "${SYSLINUX_DIR}/default.cfg"
     fi
+
+    # The only filesystem after this point that may be modified is OEM
+    # Note: it would be more logical for disk_util to mount things read-only
+    # to begin with but I'm having trouble making that work reliably.
+    # When mounting w/ ro the automatically allocated loop device will
+    # also be configured as read-only. blockdev --setrw will change that
+    # but io will start throwing errors so that clearly isn't sufficient.
+    local mnt
+    for mnt in $(findmnt -nrR -o target -T "${VM_TMP_ROOT}"); do
+        if [[ "${mnt}" != */usr/share/oem ]]; then
+            sudo mount -o remount,ro "${mnt}"
+        fi
+    done
 }
 
 # If the current type defines a oem package install it to the given fs image.