Image volumes should not be mounted noexec

This matches Docker more closely, but retains the more important protections of nosuid/nodev. Fixes #4318 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
author: Matthew Heon <matthew.heon@pm.me> 2019-10-23 12:08:32 -0400
committer: Matthew Heon <matthew.heon@pm.me> 2019-10-23 12:09:22 -0400
commit: 57eaea9539bb18d683cbac28a6a1b1b09e744944 (patch)
tree: ffaf9ed5111eb6a2f9cf67353457f5294c0ccf14 /test/e2e/run_volume_test.go
parent: ef556cfecf4d41f63c03eedf127683dad7797e71 (diff)
download: podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.gz
podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.bz2
podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/test/e2e/run_volume_test.go b/test/e2e/run_volume_test.go
index d04eb07b3..c96059787 100644
--- a/test/e2e/run_volume_test.go
+++ b/test/e2e/run_volume_test.go
@@ -357,4 +357,11 @@ var _ = Describe("Podman run with volumes", func() {
 		Expect(len(arr2)).To(Equal(1))
 		Expect(arr2[0]).To(Equal(volName))
 	})
+
+	It("podman run image volume is not noexec", func() {
+		session := podmanTest.Podman([]string{"run", "--rm", redis, "grep", "/data", "/proc/self/mountinfo"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Not(ContainSubstring("noexec")))
+	})
 })
author	Matthew Heon <matthew.heon@pm.me>	2019-10-23 12:08:32 -0400
committer	Matthew Heon <matthew.heon@pm.me>	2019-10-23 12:09:22 -0400
commit	57eaea9539bb18d683cbac28a6a1b1b09e744944 (patch)
tree	ffaf9ed5111eb6a2f9cf67353457f5294c0ccf14 /test/e2e/run_volume_test.go
parent	ef556cfecf4d41f63c03eedf127683dad7797e71 (diff)
download	podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.gz podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.tar.bz2 podman-57eaea9539bb18d683cbac28a6a1b1b09e744944.zip