summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2018-11-16 06:51:26 -0500
committerDaniel J Walsh <dwalsh@redhat.com>2018-11-28 07:53:28 -0500
commit3beacb73bced227b211bf3b8710382b94358614b (patch)
tree5cd787b22935645c92c613b79081bb132e361944
parent193e6197567e47f9650a33ed09d435a0ec0df803 (diff)
downloadpodman-3beacb73bced227b211bf3b8710382b94358614b.tar.gz
podman-3beacb73bced227b211bf3b8710382b94358614b.tar.bz2
podman-3beacb73bced227b211bf3b8710382b94358614b.zip
Disable mount options when running --privileged
We now default to setting storage options to "nodev", when running privileged containers, we need to turn this off so the processes can manipulate the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
-rw-r--r--docs/podman-create.1.md7
-rw-r--r--docs/podman-run.1.md5
-rw-r--r--libpod/container_internal.go21
3 files changed, 28 insertions, 5 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md
index 68c00685b..ab2cb8c60 100644
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@@ -465,9 +465,10 @@ By default, podman containers are
This is because by default a container is not allowed to access any devices.
A “privileged” container is given access to all devices.
-When the operator executes **podman run --privileged**, podman enables access
-to all devices on the host as well as set turn off most of the security measures
-protecting the host from the container.
+When the operator executes a privileged container, podman enables access
+to all devices on the host, turns off graphdriver mount options, as well as
+turning off most of the security measures protecting the host from the
+container.
**-p**, **--publish**=[]
diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md
index 912026a55..f99d2f863 100644
--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@@ -450,8 +450,9 @@ container is not allowed to access any devices. A “privileged” container
is given access to all devices.
When the operator executes **podman run --privileged**, podman enables access
-to all devices on the host as well as set turn off most of the security measures
-protecting the host from the container.
+to all devices on the host, turns off graphdriver mount options, as well as
+turning off most of the security measures protecting the host from the
+container.
**-p**, **--publish**=[]
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 051e0aeb7..a426191a4 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -273,6 +273,27 @@ func (c *Container) setupStorage(ctx context.Context) error {
},
LabelOpts: c.config.LabelOpts,
}
+ if c.config.Privileged {
+ privOpt := func(opt string) bool {
+ for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
+ if opt == privopt {
+ return true
+ }
+ }
+ return false
+ }
+ defOptions, err := storage.GetDefaultMountOptions()
+ if err != nil {
+ return errors.Wrapf(err, "error getting default mount options")
+ }
+ var newOptions []string
+ for _, opt := range defOptions {
+ if !privOpt(opt) {
+ newOptions = append(newOptions, opt)
+ }
+ }
+ options.MountOpts = newOptions
+ }
if c.config.Rootfs == "" {
options.IDMappingOptions = c.config.IDMappings