From 0c0da4a5b1f7974ccb88ff3b32f4a700c423e492 Mon Sep 17 00:00:00 2001
From: xSmurf <xsmurf+github@smurfturf.net>
Date: Sat, 27 Jun 2015 04:51:15 +0000
Subject: [PATCH] Blacklist items binded as readonly... take two

---
 fs/fs.go | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/fs/fs.go b/fs/fs.go
index ccb28d0..45e11d7 100644
--- a/fs/fs.go
+++ b/fs/fs.go
@@ -226,9 +226,6 @@ func (fs *Filesystem) blacklist(target string) error {
 	if err := syscall.Mount(fs.absPath(src), fs.absPath(t), "", syscall.MS_BIND, "mode=400,gid=0"); err != nil {
 		return fmt.Errorf("failed to bind %s -> %s for blacklist: %v", src, t, err)
 	}
-	if err := remount(fs.absPath(t), syscall.MS_RDONLY); err != nil {
-		return fmt.Errorf("failed to bind %s -> %s for blacklist: %v", src, t, err)
-	}
 	return nil
 }
 
@@ -325,9 +322,26 @@ func (fs *Filesystem) CreateBlacklistPaths() error {
 	if err := createBlacklistDir(fs.absPath(emptyDirPath)); err != nil {
 		return err
 	}
+	if err := rdonlyBindBlacklistItem(fs.absPath(emptyDirPath)); err != nil {
+		return err
+	}
+
 	if err := createBlacklistFile(fs.absPath(emptyFilePath)); err != nil {
 		return err
 	}
+	if err := rdonlyBindBlacklistItem(fs.absPath(emptyFilePath)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func rdonlyBindBlacklistItem(target string) error {
+	if err := syscall.Mount(target, target, "", syscall.MS_BIND, "mode=400,gid=0"); err != nil {
+		return err
+	}
+	if err := remount(target, syscall.MS_RDONLY); err != nil {
+		return err
+	}
 	return nil
 }