Note about non-recursive readonly mounts?

[zb3]

When I first saw --chroot with --rw, I was under the impression that if I do --chroot /, then the whole system is mounted RO, so nothing can be modified (this is how --ro-bind in bubblewrap works). If not for the quick test, I'd still assume that's the case. Then I saw --bindmount_ro, but it seems that it works the same way.

While my case is not important, it's not impossible that some other users could misinterpret those options the same way I did (especially --bindmount_ro if they've used bubblewrap before).

Now I see that this behaviour is intended, but maybe the doc could be improved a bit? (I don't really know how)

[andy0130tw]

I guess it is a historical option, but it is really handy for some PoCs. As you say, you can do the equivalent to bind-mount the root. Thinking this way, it is reasonable to be writable by default. In config.proto the corresponding option chroot_dir is marked as deprecated. It is never a good practice to just chroot and execute untrusted programs.

Nevertheless, since it is still a dangerous option, and there is indeed a safer way, I suggest emitting a warning whenever using this option.

[andy0130tw]

Sorry, I got the wrong idea. This issue is tricker than I originally thought.