Image volumes should not be mounted noexec

This matches Docker more closely, but retains the more important protections of nosuid/nodev. Fixes #4318 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
author: Matthew Heon <matthew.heon@pm.me> 2019-10-23 12:08:32 -0400
committer: Matthew Heon <matthew.heon@pm.me> 2019-10-23 12:09:22 -0400
commit: 57eaea9539bb18d683cbac28a6a1b1b09e744944 (patch)
tree: ffaf9ed5111eb6a2f9cf67353457f5294c0ccf14 /pkg
parent: ef556cfecf4d41f63c03eedf127683dad7797e71 (diff)
download: podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.gz
podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.bz2
podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/pkg/spec/storage.go b/pkg/spec/storage.go
index a394a19ae..095534589 100644
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@@ -738,13 +738,13 @@ func (config *CreateConfig) getImageVolumes() (map[string]spec.Mount, map[string
 				Destination: cleanDest,
 				Source:      TypeTmpfs,
 				Type:        TypeTmpfs,
-				Options:     []string{"rprivate", "rw", "nodev"},
+				Options:     []string{"rprivate", "rw", "nodev", "exec"},
 			}
 			mounts[vol] = mount
 		} else {
 			// Anonymous volumes have no name.
 			namedVolume := new(libpod.ContainerNamedVolume)
-			namedVolume.Options = []string{"rprivate", "rw", "nodev"}
+			namedVolume.Options = []string{"rprivate", "rw", "nodev", "exec"}
 			namedVolume.Dest = cleanDest
 			volumes[vol] = namedVolume
 		}
author	Matthew Heon <matthew.heon@pm.me>	2019-10-23 12:08:32 -0400
committer	Matthew Heon <matthew.heon@pm.me>	2019-10-23 12:09:22 -0400
commit	57eaea9539bb18d683cbac28a6a1b1b09e744944 (patch)
tree	ffaf9ed5111eb6a2f9cf67353457f5294c0ccf14 /pkg
parent	ef556cfecf4d41f63c03eedf127683dad7797e71 (diff)
download	podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.gz podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.bz2 podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.zip