From 5bdd97f77fc3100c6338928d4d54af32273d36fb Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Fri, 23 Aug 2019 13:24:06 -0400 Subject: Set base mount options for bind mounts from base system If I mount, say, /usr/bin into my container - I expect to be able to run the executables in that mount. Unconditionally applying noexec would be a bad idea. Before my patches to change mount options and allow exec/dev/suid being set explicitly, we inferred the mount options from where on the base system the mount originated, and the options it had there. Implement the same functionality for the new option handling. There's a lot of performance left on the table here, but I don't know that this is ever going to take enough time to make it worth optimizing. Signed-off-by: Matthew Heon --- pkg/util/mountOpts.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'pkg/util') diff --git a/pkg/util/mountOpts.go b/pkg/util/mountOpts.go index 81dc4cefd..8accd4697 100644 --- a/pkg/util/mountOpts.go +++ b/pkg/util/mountOpts.go @@ -13,10 +13,19 @@ var ( ErrDupeMntOption = errors.Errorf("duplicate option passed") ) +// DefaultMountOptions sets default mount options for ProcessOptions. +type DefaultMountOptions struct { + Noexec bool + Nosuid bool + Nodev bool +} + // ProcessOptions parses the options for a bind or tmpfs mount and ensures that // they are sensible and follow convention. The isTmpfs variable controls // whether extra, tmpfs-specific options will be allowed. -func ProcessOptions(options []string, isTmpfs bool) ([]string, error) { +// The defaults variable controls default mount options that will be set. If it +// is not included, they will be set unconditionally. +func ProcessOptions(options []string, isTmpfs bool, defaults *DefaultMountOptions) ([]string, error) { var ( foundWrite, foundSize, foundProp, foundMode, foundExec, foundSuid, foundDev, foundCopyUp, foundBind bool ) @@ -93,13 +102,13 @@ func ProcessOptions(options []string, isTmpfs bool) ([]string, error) { if !foundProp { options = append(options, "rprivate") } - if !foundExec { + if !foundExec && (defaults == nil || defaults.Noexec) { options = append(options, "noexec") } - if !foundSuid { + if !foundSuid && (defaults == nil || defaults.Nosuid) { options = append(options, "nosuid") } - if !foundDev { + if !foundDev && (defaults == nil || defaults.Nodev) { options = append(options, "nodev") } if isTmpfs && !foundCopyUp { -- cgit v1.2.3-54-g00ecf