From 663ee91eec01706008046c1df2c307716f9288db Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 22 Aug 2018 17:45:44 +0200 Subject: Fix Mount Propagation Default mount propagation inside of containes should be private Signed-off-by: Daniel J Walsh Closes: #1305 Approved by: mheon --- pkg/secrets/secrets.go | 4 ++-- pkg/spec/createconfig.go | 4 ++-- pkg/spec/spec.go | 20 ++++++-------------- 3 files changed, 10 insertions(+), 18 deletions(-) (limited to 'pkg') diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index 6f38f1fd5..be5642eba 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -243,7 +243,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr Source: filepath.Join(mountPrefix, ctrDir), Destination: ctrDir, Type: "bind", - Options: []string{"bind"}, + Options: []string{"bind", "private"}, } mounts = append(mounts, m) @@ -278,7 +278,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error Source: ctrDirOnHost, Destination: secretsDir, Type: "bind", - Options: []string{"bind"}, + Options: []string{"bind", "private"}, } *mounts = append(*mounts, m) } diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 41030bf26..c7eaeb9f7 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -214,7 +214,7 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e Destination: vol, Type: string(TypeTmpfs), Source: string(TypeTmpfs), - Options: []string{"rw", "noexec", "nosuid", "nodev", "tmpcopyup"}, + Options: []string{"private", "rw", "noexec", "nosuid", "nodev", "tmpcopyup"}, } m = append(m, mount) } @@ -272,7 +272,7 @@ func (c *CreateConfig) GetTmpfsMounts() []spec.Mount { var m []spec.Mount for _, i := range c.Tmpfs { // Default options if nothing passed - options := []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} + options := []string{"private", "rw", "noexec", "nosuid", "nodev", "size=65536k"} spliti := strings.Split(i, ":") destPath := spliti[0] if len(spliti) > 1 { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 255b70045..a915c305f 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -41,7 +41,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys", Type: "sysfs", Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "rw"}, + Options: []string{"private", "nosuid", "noexec", "nodev", "rw"}, } g.AddMount(sysMnt) } else if !canMountSys { @@ -65,7 +65,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/dev/pts", Type: "devpts", Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + Options: []string{"private", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, } g.AddMount(devPts) } @@ -95,7 +95,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, + Options: []string{"private", "nosuid", "noexec", "nodev", "relatime", cgroupPerm}, } g.AddMount(cgroupMnt) } @@ -223,7 +223,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint for _, i := range config.Tmpfs { // Default options if nothing passed - options := []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} + options := []string{"rw", "private", "noexec", "nosuid", "nodev", "size=65536k"} spliti := strings.SplitN(i, ":", 2) if len(spliti) > 1 { if _, _, err := mount.ParseTmpfsOptions(spliti[1]); err != nil { @@ -303,17 +303,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint return nil, errors.Wrapf(err, "error getting volume mounts") } configSpec.Mounts = append(configSpec.Mounts, mounts...) - for _, mount := range configSpec.Mounts { - for _, opt := range mount.Options { - switch opt { - case "private", "rprivate", "slave", "rslave", "shared", "rshared": - if err := g.SetLinuxRootPropagation(opt); err != nil { - return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination) - } - } - } + if err := g.SetLinuxRootPropagation("shared"); err != nil { + return nil, errors.Wrapf(err, "failed to set propagation to rslave") } - if canAddResources { // BLOCK IO blkio, err := config.CreateBlockIO() -- cgit v1.2.3-54-g00ecf