diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2020-05-21 16:26:20 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-21 16:26:20 +0200 |
commit | 835d2644b85a70d8483df44e93397beabf6518a0 (patch) | |
tree | 7ea9dd720282f9a354a5356a647515cc74e6ff44 | |
parent | 8b49d10550d32e066bc834768a44d6c848f4db3e (diff) | |
parent | cc65430145aee98ffefc4b9a505793e470134e94 (diff) | |
download | podman-835d2644b85a70d8483df44e93397beabf6518a0.tar.gz podman-835d2644b85a70d8483df44e93397beabf6518a0.tar.bz2 podman-835d2644b85a70d8483df44e93397beabf6518a0.zip |
Merge pull request #6280 from mheon/switch_off_noexec
Turn off 'noexec' option by default for named volumes
-rw-r--r-- | pkg/util/mountOpts_linux.go | 2 | ||||
-rw-r--r-- | test/e2e/create_test.go | 2 | ||||
-rw-r--r-- | test/e2e/run_volume_test.go | 2 | ||||
-rw-r--r-- | test/system/160-volumes.bats | 11 |
4 files changed, 9 insertions, 8 deletions
diff --git a/pkg/util/mountOpts_linux.go b/pkg/util/mountOpts_linux.go index 3eac4dd25..bc7c675f3 100644 --- a/pkg/util/mountOpts_linux.go +++ b/pkg/util/mountOpts_linux.go @@ -7,7 +7,7 @@ import ( ) func getDefaultMountOptions(path string) (defaultMountOptions, error) { - opts := defaultMountOptions{true, true, true} + opts := defaultMountOptions{false, true, true} if path == "" { return opts, nil } diff --git a/test/e2e/create_test.go b/test/e2e/create_test.go index 7d4858551..0a6373bfa 100644 --- a/test/e2e/create_test.go +++ b/test/e2e/create_test.go @@ -207,7 +207,7 @@ var _ = Describe("Podman create", func() { session = podmanTest.Podman([]string{"logs", "test_tmpfs"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - Expect(session.OutputToString()).To(ContainSubstring("/create/test rw,nosuid,nodev,noexec,relatime - tmpfs")) + Expect(session.OutputToString()).To(ContainSubstring("/create/test rw,nosuid,nodev,relatime - tmpfs")) }) It("podman create --pod automatically", func() { diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go index 1f892d9f8..58091ff68 100644 --- a/test/e2e/run_volume_test.go +++ b/test/e2e/run_volume_test.go @@ -117,7 +117,7 @@ var _ = Describe("Podman run with volumes", func() { session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=" + dest, ALPINE, "grep", dest, "/proc/self/mountinfo"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) - Expect(session.OutputToString()).To(ContainSubstring(dest + " rw,nosuid,nodev,noexec,relatime - tmpfs")) + Expect(session.OutputToString()).To(ContainSubstring(dest + " rw,nosuid,nodev,relatime - tmpfs")) session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,tmpcopyup", ALPINE, "ls", "/etc/ssl"}) session.WaitWithDefaultTimeout() diff --git a/test/system/160-volumes.bats b/test/system/160-volumes.bats index 5d65a950f..3233e6f04 100644 --- a/test/system/160-volumes.bats +++ b/test/system/160-volumes.bats @@ -115,7 +115,8 @@ echo "got here -$rand-" EOF chmod 755 $mountpoint/myscript - # By default, volumes are mounted noexec. This should fail. + # By default, volumes are mounted exec, but we have manually added the + # noexec option. This should fail. # ARGH. Unfortunately, runc (used for cgroups v1) produces a different error local expect_rc=126 local expect_msg='.* OCI runtime permission denied.*' @@ -125,12 +126,12 @@ EOF expect_msg='.* exec user process caused.*permission denied' fi - run_podman ${expect_rc} run --rm --volume $myvolume:/vol:z $IMAGE /vol/myscript + run_podman ${expect_rc} run --rm --volume $myvolume:/vol:noexec,z $IMAGE /vol/myscript is "$output" "$expect_msg" "run on volume, noexec" - # With exec, it should pass - run_podman run --rm -v $myvolume:/vol:z,exec $IMAGE /vol/myscript - is "$output" "got here -$rand-" "script in volume is runnable with exec" + # With the default, it should pass + run_podman run --rm -v $myvolume:/vol:z $IMAGE /vol/myscript + is "$output" "got here -$rand-" "script in volume is runnable with default (exec)" # Clean up run_podman volume rm $myvolume |