diff options
| author | Daniel J Walsh <dwalsh@redhat.com> | 2018-11-16 06:51:26 -0500 |
|---|---|---|
| committer | Daniel J Walsh <dwalsh@redhat.com> | 2018-11-28 07:53:28 -0500 |
| commit | 3beacb73bced227b211bf3b8710382b94358614b (patch) | |
| tree | 5cd787b22935645c92c613b79081bb132e361944 | |
| parent | 193e6197567e47f9650a33ed09d435a0ec0df803 (diff) | |
| download | podman-3beacb73bced227b211bf3b8710382b94358614b.tar.gz podman-3beacb73bced227b211bf3b8710382b94358614b.tar.bz2 podman-3beacb73bced227b211bf3b8710382b94358614b.zip | |
Disable mount options when running --privileged
We now default to setting storage options to "nodev", when running
privileged containers, we need to turn this off so the processes can
manipulate the image.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
| -rw-r--r-- | docs/podman-create.1.md | 7 | ||||
| -rw-r--r-- | docs/podman-run.1.md | 5 | ||||
| -rw-r--r-- | libpod/container_internal.go | 21 |
3 files changed, 28 insertions, 5 deletions
diff --git a/docs/podman-create.1.md b/docs/podman-create.1.md index 68c00685b..ab2cb8c60 100644 --- a/docs/podman-create.1.md +++ b/docs/podman-create.1.md @@ -465,9 +465,10 @@ By default, podman containers are This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. -When the operator executes **podman run --privileged**, podman enables access -to all devices on the host as well as set turn off most of the security measures -protecting the host from the container. +When the operator executes a privileged container, podman enables access +to all devices on the host, turns off graphdriver mount options, as well as +turning off most of the security measures protecting the host from the +container. **-p**, **--publish**=[] diff --git a/docs/podman-run.1.md b/docs/podman-run.1.md index 912026a55..f99d2f863 100644 --- a/docs/podman-run.1.md +++ b/docs/podman-run.1.md @@ -450,8 +450,9 @@ container is not allowed to access any devices. A “privileged” container is given access to all devices. When the operator executes **podman run --privileged**, podman enables access -to all devices on the host as well as set turn off most of the security measures -protecting the host from the container. +to all devices on the host, turns off graphdriver mount options, as well as +turning off most of the security measures protecting the host from the +container. **-p**, **--publish**=[] diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 051e0aeb7..a426191a4 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -273,6 +273,27 @@ func (c *Container) setupStorage(ctx context.Context) error { }, LabelOpts: c.config.LabelOpts, } + if c.config.Privileged { + privOpt := func(opt string) bool { + for _, privopt := range []string{"nodev", "nosuid", "noexec"} { + if opt == privopt { + return true + } + } + return false + } + defOptions, err := storage.GetDefaultMountOptions() + if err != nil { + return errors.Wrapf(err, "error getting default mount options") + } + var newOptions []string + for _, opt := range defOptions { + if !privOpt(opt) { + newOptions = append(newOptions, opt) + } + } + options.MountOpts = newOptions + } if c.config.Rootfs == "" { options.IDMappingOptions = c.config.IDMappings |