From aed5a525777be452c8a451793cf9c16990ac5515 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 13 Aug 2012 16:24:30 +0200
Subject: [PATCH 1/1] machine-id: properly mount transient machine ID read-only

---
 src/core/machine-id-setup.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/core/machine-id-setup.c b/src/core/machine-id-setup.c
index c6fd77ac8..7f4c23b13 100644
--- a/src/core/machine-id-setup.c
+++ b/src/core/machine-id-setup.c
@@ -226,13 +226,17 @@ int machine_id_setup(void) {
         }
 
         /* And now, let's mount it over */
-        r = mount("/run/machine-id", "/etc/machine-id", "bind", MS_BIND|MS_RDONLY, NULL) < 0 ? -errno : 0;
+        r = mount("/run/machine-id", "/etc/machine-id", NULL, MS_BIND, NULL) < 0 ? -errno : 0;
         if (r < 0) {
                 unlink("/run/machine-id");
                 log_error("Failed to mount /etc/machine-id: %s", strerror(-r));
-        } else
+        } else {
                 log_info("Installed transient /etc/machine-id file.");
 
+                /* Mark the mount read-only */
+                mount(NULL, "/etc/machine-id", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, NULL);
+        }
+
 finish:
 
         if (fd >= 0)
-- 
2.30.2