From 9b37ef30c86916fbfe66ddb83a3c3201e51a45e4 Mon Sep 17 00:00:00 2001
From: Tuomas Katila <tuomas.katila@intel.com>
Date: Mon, 9 Sep 2024 16:21:39 +0300
Subject: [PATCH] mount by-path directories as read-only

Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
---
 cmd/gpu_plugin/gpu_plugin.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/gpu_plugin/gpu_plugin.go b/cmd/gpu_plugin/gpu_plugin.go
index 095127f50..f048b13d5 100644
--- a/cmd/gpu_plugin/gpu_plugin.go
+++ b/cmd/gpu_plugin/gpu_plugin.go
@@ -257,7 +257,7 @@ func (dp *devicePlugin) bypathMountsForPci(pciAddress, bypathDir string) []plugi
 			mounts = append(mounts, pluginapi.Mount{
 				ContainerPath: absPath,
 				HostPath:      absPath,
-				ReadOnly:      false,
+				ReadOnly:      true,
 			})
 		}
 	}
@@ -529,7 +529,7 @@ func (dp *devicePlugin) createMountsAndCDIDevices(cardPath, name string, devSpec
 			HostPath:      mount.HostPath,
 			ContainerPath: mount.ContainerPath,
 			Type:          "none",
-			Options:       []string{"bind", "rw"},
+			Options:       []string{"bind", "ro"},
 		})
 	}