opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-07-15 03:02:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

Disable mount options when running --privileged

Browse Source 
We now default to setting storage options to "nodev", when running
privileged containers, we need to turn this off so the processes can
manipulate the image.

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
Daniel J Walsh
2018-11-16 06:51:26 -05:00
parent 193e619756
commit 3beacb73bc
3 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
docs/podman-create.1.md
View File

@ -465,9 +465,10 @@ By default, podman containers are
This is because by default a container is not allowed to access any devices. This is because by default a container is not allowed to access any devices.
A “privileged” container is given access to all devices. A “privileged” container is given access to all devices.
When the operator executes **podman run --privileged**, podman enables access When the operator executes a privileged container, podman enables access
to all devices on the host as well as set turn off most of the security measures to all devices on the host, turns off graphdriver mount options, as well as
protecting the host from the container. turning off most of the security measures protecting the host from the
container.
**-p**, **--publish**=[] **-p**, **--publish**=[]

5
docs/podman-run.1.md
View File

@ -450,8 +450,9 @@ container is not allowed to access any devices. A “privileged” container
is given access to all devices. is given access to all devices.
When the operator executes **podman run --privileged**, podman enables access When the operator executes **podman run --privileged**, podman enables access
to all devices on the host as well as set turn off most of the security measures to all devices on the host, turns off graphdriver mount options, as well as
protecting the host from the container. turning off most of the security measures protecting the host from the
container.
**-p**, **--publish**=[] **-p**, **--publish**=[]

21
libpod/container_internal.go
View File

@ -273,6 +273,27 @@ func (c *Container) setupStorage(ctx context.Context) error {
}, },
LabelOpts: c.config.LabelOpts, LabelOpts: c.config.LabelOpts,
} }
if c.config.Privileged {
privOpt := func(opt string) bool {
for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
if opt == privopt {
return true
}
}
return false
}
defOptions, err := storage.GetDefaultMountOptions()
if err != nil {
return errors.Wrapf(err, "error getting default mount options")
}
var newOptions []string
for _, opt := range defOptions {
if !privOpt(opt) {
newOptions = append(newOptions, opt)
}
}
options.MountOpts = newOptions
}
if c.config.Rootfs == "" { if c.config.Rootfs == "" {
options.IDMappingOptions = c.config.IDMappings options.IDMappingOptions = c.config.IDMappings