From 2c3420204e25c31b6768f8e30ade348db757b722 Mon Sep 17 00:00:00 2001
From: nl6720 <nl6720@gmail.com>
Date: Sat, 26 Nov 2022 20:00:40 +0200
Subject: mkarchiso: open the ARCHISO_GNUPG_FD, ARCHISO_TLS_FD and
 ARCHISO_TLSCA_FD file descriptors only for reading

Nothing should ever be written to these files, so let's make sure it cannot happen.
---
 CHANGELOG.rst     | 2 ++
 archiso/mkarchiso | 6 +++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 982c722..4fa88db 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,8 @@ Changed
 -------
 
 - Check if the GPG public key file was successfully placed in the work directory before trying to use it.
+- Open the file descriptors for code signing certificates and GPG public key as read only. Nothing from the within the
+  ``pacstrap`` invoked chroot should ever be allowed to write outside of it.
 
 Removed
 -------
diff --git a/archiso/mkarchiso b/archiso/mkarchiso
index 9000044..7a3fd1c 100755
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -336,15 +336,15 @@ _make_packages() {
     _msg_info "Installing packages to '${pacstrap_dir}/'..."
 
     if [[ -v gpg_publickey ]]; then
-        exec {ARCHISO_GNUPG_FD}<>"$gpg_publickey"
+        exec {ARCHISO_GNUPG_FD}<"$gpg_publickey"
         export ARCHISO_GNUPG_FD
     fi
     if [[ -v cert_list[0] ]]; then
-        exec {ARCHISO_TLS_FD}<>"${cert_list[0]}"
+        exec {ARCHISO_TLS_FD}<"${cert_list[0]}"
         export ARCHISO_TLS_FD
     fi
     if [[ -v cert_list[2] ]]; then
-        exec {ARCHISO_TLSCA_FD}<>"${cert_list[2]}"
+        exec {ARCHISO_TLSCA_FD}<"${cert_list[2]}"
         export ARCHISO_TLSCA_FD
     fi
 
-- 
cgit v1.2.3-54-g00ecf