Bind Mounts should be mounted read-only when in read-only mode

We don't want to allow users to write to /etc/resolv.conf or /etc/hosts if in read only mode. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com> Closes: #1510 Approved by: TomSweeneyRedHat
author: Daniel J Walsh <dwalsh@redhat.com> 2018-09-19 13:13:54 -0400
committer: Atomic Bot <atomic-devel@projectatomic.io> 2018-09-20 13:55:35 +0000
commit: 2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96 (patch)
tree: d9ad9f56fe0f52b72b93e62dfc3bade4fc464e8e /libpod/container_internal_linux.go
parent: 1a59c4d5fe7b447e0b503f6bd43f218beed7a4d8 (diff)
download: podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.tar.gz
podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.tar.bz2
podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index c0912dc0d..f9e161cb3 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -107,7 +107,10 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 			Type:        "bind",
 			Source:      srcPath,
 			Destination: dstPath,
-			Options:     []string{"rw", "bind", "private"},
+			Options:     []string{"bind", "private"},
+		}
+		if c.IsReadOnly() {
+			newMount.Options = append(newMount.Options, "ro")
 		}
 		if !MountExists(g.Mounts(), dstPath) {
 			g.AddMount(newMount)
author	Daniel J Walsh <dwalsh@redhat.com>	2018-09-19 13:13:54 -0400
committer	Atomic Bot <atomic-devel@projectatomic.io>	2018-09-20 13:55:35 +0000
commit	2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96 (patch)
tree	d9ad9f56fe0f52b72b93e62dfc3bade4fc464e8e /libpod/container_internal_linux.go
parent	1a59c4d5fe7b447e0b503f6bd43f218beed7a4d8 (diff)
download	podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.tar.gz podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.tar.bz2 podman-2cbb8c216a2f8e7160cdf88ef6ef50ee75559d96.zip