make-read-only-fs 1 user commands nosh make-read-only-fs populate various private-mount parts of the filesystem make-read-only-fs --os --etc --homes --sysctl --cgroups --include directory --except directory next-prog make-read-only-fs is a chain-loading utility that re-mounts volumes in various parts of the filesystem namespace as read-only, and then chain loads to next-prog with the execvp3 function. next-prog may contain its own command line options, which make-read-only-fs will ignore. The parts of the filesystem that are re-mounted are controlled by command-line options as follows: --os /usr is re-mounted read-only. --etc /etc is re-mounted read-only. --homes /etc is re-mounted read-only. --sysctl /sys, /proc/sys, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs, and /proc/irq are re-mounted read-only. --cgroups /sys/fs/cgroup is re-mounted read-only. --include directory directory is re-mounted read-only. --except directory directory is re-mounted read-write. The command will fail if the process is not running under the aegis of the superuser, because most of the internal operations necessary are not permitted to non-superusers. make-read-only-fs is usually run chain-loaded from unshare1. Beware: Running it without unsharing first will affect the global mount namespace. Jonathan de Boyne Pollard