From c4a47947ab20c8d15a9acde9a8ef7db0757b8320 Mon Sep 17 00:00:00 2001
From: Johannes 'josch' Schauer <josch@mister-muffin.de>
Date: Fri, 24 Jan 2020 10:14:10 +0100
Subject: [PATCH] mount /sys and /proc as read-only in root mode

---
 mmdebstrap | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mmdebstrap b/mmdebstrap
index 803b618..696a21d 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -929,8 +929,9 @@ sub run_chroot {
                   or warn "umount /sys failed: $?";
             };
             0 == system(
-                'mount',               '-t',  'sysfs', '-o',
-                'nosuid,nodev,noexec', 'sys', "$options->{root}/sys"
+                'mount', '-t',                     'sysfs',
+                '-o',    'ro,nosuid,nodev,noexec', 'sys',
+                "$options->{root}/sys"
             ) or error "mount /sys failed: $?";
         } elsif ($options->{mode} eq 'unshare') {
             # naturally we have to clean up after ourselves in sudo mode where
@@ -978,7 +979,8 @@ sub run_chroot {
                 0 == system('umount', "$options->{root}/proc")
                   or error "umount /proc failed: $?";
             };
-            0 == system('mount', '-t', 'proc', 'proc', "$options->{root}/proc")
+            0 == system('mount', '-t', 'proc', '-o', 'ro', 'proc',
+                "$options->{root}/proc")
               or error "mount /proc failed: $?";
         } elsif ($options->{mode} eq 'unshare') {
             # naturally we have to clean up after ourselves in sudo mode where