Merge pull request #4329 from mheon/no_noexec_image_volume

Image volumes should not be mounted noexec
2025-06-20 00:51:16 +08:00 · 2019-10-24 01:07:51 +02:00
parent 4b8832a9af 57eaea9539
commit 299a430759
2 changed files with 9 additions and 2 deletions
--- a/pkg/spec/storage.go
+++ b/pkg/spec/storage.go
@ -738,13 +738,13 @@ func (config *CreateConfig) getImageVolumes() (map[string]spec.Mount, map[string
 				Destination: cleanDest,
 				Source:      TypeTmpfs,
 				Type:        TypeTmpfs,
-				Options:     []string{"rprivate", "rw", "nodev"},
+				Options:     []string{"rprivate", "rw", "nodev", "exec"},
 			}
 			mounts[vol] = mount
 		} else {
 			// Anonymous volumes have no name.
 			namedVolume := new(libpod.ContainerNamedVolume)
-			namedVolume.Options = []string{"rprivate", "rw", "nodev"}
+			namedVolume.Options = []string{"rprivate", "rw", "nodev", "exec"}
 			namedVolume.Dest = cleanDest
 			volumes[vol] = namedVolume
 		}
--- a/test/e2e/run_volume_test.go
+++ b/test/e2e/run_volume_test.go
@ -357,4 +357,11 @@ var _ = Describe("Podman run with volumes", func() {
 		Expect(len(arr2)).To(Equal(1))
 		Expect(arr2[0]).To(Equal(volName))
 	})
 	It("podman run image volume is not noexec", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", redis, "grep", "/data", "/proc/self/mountinfo"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(session.OutputToString()).To(Not(ContainSubstring("noexec")))
 	})
 })