From 53647e347f379fd542d8de390d9b3729be31e45a Mon Sep 17 00:00:00 2001
From: Sergey Bugaev <bugaevc@serenityos.org>
Date: Thu, 28 May 2020 18:06:13 +0300
Subject: [PATCH] Kernel+Base: Mount root filesystem read-only :^)

We remount /home and /root as read-write, to keep the ability to modify files
there. /tmp remains read-write, as it is mounted from a TmpFS.
---
 Base/etc/fstab                          | 12 +++++++-----
 Kernel/FileSystem/VirtualFileSystem.cpp |  5 +++--
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/Base/etc/fstab b/Base/etc/fstab
index a80aefc78a..4d34ba1d0b 100644
--- a/Base/etc/fstab
+++ b/Base/etc/fstab
@@ -1,10 +1,12 @@
 # Root file system. This is a fake entry which gets ignored by `mount -a`;
 # the actual logic for mounting root is in the kernel.
-/dev/hda	/	ext2	nodev,nosuid
-# Remount /bin and /dev while adding the appropriate permissions.
-/dev	/dev	bind	bind,nosuid
-/bin	/bin	bind	bind,nodev
+/dev/hda	/	ext2	nodev,nosuid,ro
+# Remount /bin, /dev, /root, and /home while adding the appropriate permissions.
+/dev	/dev	bind	bind,nosuid,ro
+/bin	/bin	bind	bind,nodev,ro
+/home	/home	bind	bind,nodev,nosuid
+/root	/root	bind	bind,nodev,nosuid
 
 none	/proc	proc	nosuid
-none	/dev/pts	devpts	noexec,nosuid
+none	/dev/pts	devpts	noexec,nosuid,ro
 none	/tmp	tmp	nodev,nosuid
diff --git a/Kernel/FileSystem/VirtualFileSystem.cpp b/Kernel/FileSystem/VirtualFileSystem.cpp
index 54a6a9f4d8..b68eaffc67 100644
--- a/Kernel/FileSystem/VirtualFileSystem.cpp
+++ b/Kernel/FileSystem/VirtualFileSystem.cpp
@@ -42,6 +42,7 @@ namespace Kernel {
 
 static VFS* s_the;
 static constexpr int symlink_recursion_limit { 5 }; // FIXME: increase?
+static constexpr int root_mount_flags = MS_NODEV | MS_NOSUID | MS_RDONLY;
 
 VFS& VFS::the()
 {
@@ -116,7 +117,7 @@ bool VFS::mount_root(FS& file_system)
         return false;
     }
 
-    Mount mount { file_system, nullptr, MS_NODEV | MS_NOSUID };
+    Mount mount { file_system, nullptr, root_mount_flags };
 
     auto root_inode_id = mount.guest().fs()->root_inode();
     auto root_inode = mount.guest().fs()->get_inode(root_inode_id);
@@ -734,7 +735,7 @@ void VFS::sync()
 Custody& VFS::root_custody()
 {
     if (!m_root_custody)
-        m_root_custody = Custody::create(nullptr, "", *m_root_inode, MS_NODEV | MS_NOSUID);
+        m_root_custody = Custody::create(nullptr, "", *m_root_inode, root_mount_flags);
     return *m_root_custody;
 }