From 3beacb73bced227b211bf3b8710382b94358614b Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Fri, 16 Nov 2018 06:51:26 -0500
Subject: Disable mount options when running --privileged

We now default to setting storage options to "nodev", when running
privileged containers, we need to turn this off so the processes can
manipulate the image.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 libpod/container_internal.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'libpod')

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 051e0aeb7..a426191a4 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -273,6 +273,27 @@ func (c *Container) setupStorage(ctx context.Context) error {
 		},
 		LabelOpts: c.config.LabelOpts,
 	}
+	if c.config.Privileged {
+		privOpt := func(opt string) bool {
+			for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
+				if opt == privopt {
+					return true
+				}
+			}
+			return false
+		}
+		defOptions, err := storage.GetDefaultMountOptions()
+		if err != nil {
+			return errors.Wrapf(err, "error getting default mount options")
+		}
+		var newOptions []string
+		for _, opt := range defOptions {
+			if !privOpt(opt) {
+				newOptions = append(newOptions, opt)
+			}
+		}
+		options.MountOpts = newOptions
+	}
 
 	if c.config.Rootfs == "" {
 		options.IDMappingOptions = c.config.IDMappings
-- 
cgit v1.2.3-54-g00ecf