diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-02-25 20:23:08 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-25 20:23:08 +0100 |
| commit | 6fc18e7d07e8263faca8341efb0220bf4be4f417 (patch) | |
| tree | 421f2f14d03f8361384392fabd22f4fcbcc237ce | |
| parent | 26ce470e7fb681fe36295c442ab21775bae09d3f (diff) | |
| parent | 0f5ae3c5af60f95b73c709b51db50d39ae1b3693 (diff) | |
| download | podman-6fc18e7d07e8263faca8341efb0220bf4be4f417.tar.gz podman-6fc18e7d07e8263faca8341efb0220bf4be4f417.tar.bz2 podman-6fc18e7d07e8263faca8341efb0220bf4be4f417.zip | |
Merge pull request #2432 from giuseppe/fix-read-only-bind-mounts
podman: fix ro bind mounts if no* opts are on the source
| -rw-r--r-- | pkg/spec/spec.go | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 76b8963ff..28a636fa6 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -3,10 +3,12 @@ package createconfig import ( "os" "path" + "path/filepath" "strings" "github.com/containers/libpod/pkg/rootless" "github.com/containers/storage/pkg/mount" + pmount "github.com/containers/storage/pkg/mount" "github.com/docker/docker/daemon/caps" "github.com/docker/go-units" "github.com/opencontainers/runc/libcontainer/user" @@ -392,9 +394,65 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint configSpec.Linux.Resources = &spec.LinuxResources{} } + // Make sure that the bind mounts keep options like nosuid, noexec, nodev. + mounts, err := pmount.GetMounts() + if err != nil { + return nil, err + } + for i := range configSpec.Mounts { + m := &configSpec.Mounts[i] + isBind := false + for _, o := range m.Options { + if o == "bind" || o == "rbind" { + isBind = true + break + } + } + if !isBind { + continue + } + mount, err := findMount(m.Source, mounts) + if err != nil { + return nil, err + } + if mount == nil { + continue + } + next_option: + for _, o := range strings.Split(mount.Opts, ",") { + if o == "nosuid" || o == "noexec" || o == "nodev" { + for _, e := range m.Options { + if e == o { + continue next_option + } + } + m.Options = append(m.Options, o) + } + } + } + return configSpec, nil } +func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) { + var err error + target, err = filepath.Abs(target) + if err != nil { + return nil, errors.Wrapf(err, "cannot resolve %s", target) + } + var bestSoFar *pmount.Info + for _, i := range mounts { + if bestSoFar != nil && len(bestSoFar.Mountpoint) > len(i.Mountpoint) { + // Won't be better than what we have already found + continue + } + if strings.HasPrefix(target, i.Mountpoint) { + bestSoFar = i + } + } + return bestSoFar, nil +} + func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) { if config.PidMode.IsHost() && rootless.IsRootless() { return |