diff options
| author | Matthew Heon <matthew.heon@pm.me> | 2019-08-22 11:21:20 -0400 |
|---|---|---|
| committer | Matthew Heon <matthew.heon@pm.me> | 2019-08-28 14:28:18 -0400 |
| commit | 02264d597faa034c14393ab6c98591e85a2642ee (patch) | |
| tree | 7a2c51a405bc30a2e41eaee591d5da5ed744fa61 /pkg/spec/spec.go | |
| parent | 502536fe07cf858757f1e358cfb91dc02facf546 (diff) | |
| download | podman-02264d597faa034c14393ab6c98591e85a2642ee.tar.gz podman-02264d597faa034c14393ab6c98591e85a2642ee.tar.bz2 podman-02264d597faa034c14393ab6c98591e85a2642ee.zip | |
Add support for 'exec', 'suid', 'dev' mount flags
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.
This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.
Fixes: #3819
Fixes: #3803
Signed-off-by: Matthew Heon <matthew.heon@pm.me>
Diffstat (limited to 'pkg/spec/spec.go')
| -rw-r--r-- | pkg/spec/spec.go | 43 |
1 files changed, 5 insertions, 38 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 156d6849d..779fb5290 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -368,7 +368,11 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM // BIND MOUNTS configSpec.Mounts = supercedeUserMounts(userMounts, configSpec.Mounts) // Process mounts to ensure correct options - configSpec.Mounts = initFSMounts(configSpec.Mounts) + finalMounts, err := initFSMounts(configSpec.Mounts) + if err != nil { + return nil, err + } + configSpec.Mounts = finalMounts // BLOCK IO blkio, err := config.CreateBlockIO() @@ -394,43 +398,6 @@ func (config *CreateConfig) createConfigToOCISpec(runtime *libpod.Runtime, userM } } - // Make sure that the bind mounts keep options like nosuid, noexec, nodev. - mounts, err := pmount.GetMounts() - if err != nil { - return nil, err - } - for i := range configSpec.Mounts { - m := &configSpec.Mounts[i] - isBind := false - for _, o := range m.Options { - if o == "bind" || o == "rbind" { - isBind = true - break - } - } - if !isBind { - continue - } - mount, err := findMount(m.Source, mounts) - if err != nil { - return nil, err - } - if mount == nil { - continue - } - next_option: - for _, o := range strings.Split(mount.Opts, ",") { - if o == "nosuid" || o == "noexec" || o == "nodev" { - for _, e := range m.Options { - if e == o { - continue next_option - } - } - m.Options = append(m.Options, o) - } - } - } - // Add annotations if configSpec.Annotations == nil { configSpec.Annotations = make(map[string]string) |