Disable mount options when running --privileged

We now default to setting storage options to "nodev", when running privileged containers, we need to turn this off so the processes can manipulate the image. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2025-07-15 03:02:52 +08:00 · 2018-11-16 06:51:26 -05:00
parent 193e619756
commit 3beacb73bc
3 changed files with 28 additions and 5 deletions
--- a/docs/podman-create.1.md
+++ b/docs/podman-create.1.md
@ -465,9 +465,10 @@ By default, podman containers are
 This is because by default a container is not allowed to access any devices.
 A “privileged” container is given access to all devices.

-When the operator executes **podman run --privileged**, podman enables access
-to all devices on the host as well as set turn off most of the security measures
-protecting the host from the container.
+When the operator executes a privileged container, podman enables access
+to all devices on the host, turns off graphdriver mount options, as well as
+turning off most of the security measures protecting the host from the
+container.

 **-p**, **--publish**=[]

--- a/docs/podman-run.1.md
+++ b/docs/podman-run.1.md
@ -450,8 +450,9 @@ container is not allowed to access any devices. A “privileged” container
 is given access to all devices.

 When the operator executes **podman run --privileged**, podman enables access
-to all devices on the host as well as set turn off most of the security measures
-protecting the host from the container.
+to all devices on the host, turns off graphdriver mount options, as well as
+turning off most of the security measures protecting the host from the
+container.

 **-p**, **--publish**=[]

--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@ -273,6 +273,27 @@ func (c *Container) setupStorage(ctx context.Context) error {
 		},
 		LabelOpts: c.config.LabelOpts,
 	}
+	if c.config.Privileged {
+		privOpt := func(opt string) bool {
+			for _, privopt := range []string{"nodev", "nosuid", "noexec"} {
+				if opt == privopt {
+					return true
+				}
+			}
+			return false
+		}
+		defOptions, err := storage.GetDefaultMountOptions()
+		if err != nil {
+			return errors.Wrapf(err, "error getting default mount options")
+		}
+		var newOptions []string
+		for _, opt := range defOptions {
+			if !privOpt(opt) {
+				newOptions = append(newOptions, opt)
+			}
+		}
+		options.MountOpts = newOptions
+	}

 	if c.config.Rootfs == "" {
 		options.IDMappingOptions = c.config.IDMappings