opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-24 03:08:13 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2432 from giuseppe/fix-read-only-bind-mounts

Browse Source 
podman: fix ro bind mounts if no* opts are on the source
This commit is contained in:
OpenShift Merge Robot
2019-02-25 20:23:08 +01:00
committed by GitHub
parent 26ce470e7f 0f5ae3c5af
commit 6fc18e7d07
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
pkg/spec/spec.go
View File

@ -3,10 +3,12 @@ package createconfig
import ( import (
"os" "os"
"path" "path"
"path/filepath"
"strings" "strings"
"github.com/containers/libpod/pkg/rootless" "github.com/containers/libpod/pkg/rootless"
"github.com/containers/storage/pkg/mount" "github.com/containers/storage/pkg/mount"
pmount "github.com/containers/storage/pkg/mount"
"github.com/docker/docker/daemon/caps" "github.com/docker/docker/daemon/caps"
"github.com/docker/go-units" "github.com/docker/go-units"
"github.com/opencontainers/runc/libcontainer/user" "github.com/opencontainers/runc/libcontainer/user"
@ -392,9 +394,65 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
configSpec.Linux.Resources = &spec.LinuxResources{} configSpec.Linux.Resources = &spec.LinuxResources{}
} }
// Make sure that the bind mounts keep options like nosuid, noexec, nodev.
mounts, err := pmount.GetMounts()
if err != nil {
return nil, err
}
for i := range configSpec.Mounts {
m := &configSpec.Mounts[i]
isBind := false
for _, o := range m.Options {
if o == "bind" || o == "rbind" {
isBind = true
break
}
}
if !isBind {
continue
}
mount, err := findMount(m.Source, mounts)
if err != nil {
return nil, err
}
if mount == nil {
continue
}
next_option:
for _, o := range strings.Split(mount.Opts, ",") {
if o == "nosuid" || o == "noexec" || o == "nodev" {
for _, e := range m.Options {
if e == o {
continue next_option
}
}
m.Options = append(m.Options, o)
}
}
}
return configSpec, nil return configSpec, nil
} }
func findMount(target string, mounts []*pmount.Info) (*pmount.Info, error) {
var err error
target, err = filepath.Abs(target)
if err != nil {
return nil, errors.Wrapf(err, "cannot resolve %s", target)
}
var bestSoFar *pmount.Info
for _, i := range mounts {
if bestSoFar != nil && len(bestSoFar.Mountpoint) > len(i.Mountpoint) {
// Won't be better than what we have already found
continue
}
if strings.HasPrefix(target, i.Mountpoint) {
bestSoFar = i
}
}
return bestSoFar, nil
}
func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) { func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) {
if config.PidMode.IsHost() && rootless.IsRootless() { if config.PidMode.IsHost() && rootless.IsRootless() {
return return