aboutsummaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
Diffstat (limited to 'cmd')
-rw-r--r--cmd/kpod/spec.go34
-rw-r--r--cmd/kpod/spec_test.go2
2 files changed, 25 insertions, 11 deletions
diff --git a/cmd/kpod/spec.go b/cmd/kpod/spec.go
index b2a439a9b..5d6fe8879 100644
--- a/cmd/kpod/spec.go
+++ b/cmd/kpod/spec.go
@@ -300,6 +300,16 @@ func createConfigToOCISpec(config *createConfig) (*spec.Spec, error) {
return nil, errors.Wrapf(err, "error getting volume mounts")
}
configSpec.Mounts = append(configSpec.Mounts, mounts...)
+ for _, mount := range configSpec.Mounts {
+ for _, opt := range mount.Options {
+ switch opt {
+ case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+ if err := g.SetLinuxRootPropagation(opt); err != nil {
+ return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination)
+ }
+ }
+ }
+ }
// HANDLE CAPABILITIES
if err := setupCapabilities(config, configSpec); err != nil {
@@ -442,24 +452,25 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
options = strings.Split(spliti[2], ",")
}
options = append(options, "rbind")
- // var foundrw, foundro,
- var foundz, foundZ bool
+ var foundrw, foundro, foundz, foundZ bool
+ var rootProp string
for _, opt := range options {
switch opt {
- // case "rw":
- // foundrw = true
- // case "ro":
- // foundro = true
+ case "rw":
+ foundrw = true
+ case "ro":
+ foundro = true
case "z":
foundz = true
case "Z":
foundZ = true
+ case "private", "rprivate", "slave", "rslave", "shared", "rshared":
+ rootProp = opt
}
}
- // if !foundro && !foundrw {
- // // rw option is default
- // options = append(options, "rw")
- // }
+ if !foundrw && !foundro {
+ options = append(options, "rw")
+ }
if foundz {
if err := label.Relabel(spliti[0], c.mountLabel, true); err != nil {
return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
@@ -470,6 +481,9 @@ func (c *createConfig) GetVolumeMounts() ([]spec.Mount, error) {
return nil, errors.Wrapf(err, "relabel failed %q", spliti[0])
}
}
+ if rootProp == "" {
+ options = append(options, "rprivate")
+ }
m = append(m, spec.Mount{
Destination: spliti[1],
diff --git a/cmd/kpod/spec_test.go b/cmd/kpod/spec_test.go
index 1eedb0e2a..799d6b235 100644
--- a/cmd/kpod/spec_test.go
+++ b/cmd/kpod/spec_test.go
@@ -13,7 +13,7 @@ func TestCreateConfig_GetVolumeMounts(t *testing.T) {
Destination: "/foobar",
Type: "bind",
Source: "foobar",
- Options: []string{"ro", "rbind"},
+ Options: []string{"ro", "rbind", "rprivate"},
}
config := createConfig{
volumes: []string{"foobar:/foobar:ro"},