Validate the bind-propagation option to --mount

Similar to github.com/containers/buildah/pull/5761 but not security critical as Podman does not have an expectation that mounts are scoped (the ability to write a --mount option is already the ability to mount arbitrary content into the container so sneaking arbitrary options into the mount doesn't have security implications). Still, bad practice to let users inject anything into the mount command line so let's not do that. Signed-off-by: Matt Heon <mheon@redhat.com>
2025-05-21 09:05:56 +08:00 · 2024-10-01 12:38:45 -04:00
parent 13b78c9da9
commit 985b57d9f7
2 changed files with 10 additions and 0 deletions
--- a/pkg/specgenutil/volumes.go
+++ b/pkg/specgenutil/volumes.go
@ -272,6 +272,12 @@ func parseMountOptions(mountType string, args []string) (*spec.Mount, error) {
 			if !hasValue {
 				return nil, fmt.Errorf("%v: %w", name, errOptionArg)
 			}
+			switch value {
+			case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable":
+				// Do nothing, sane value
+			default:
+				return nil, fmt.Errorf("invalid value %q", arg)
+			}
 			mnt.Options = append(mnt.Options, value)
 		case "consistency":
 			// Often used on MACs and mistakenly on Linux platforms.
--- a/test/e2e/run_volume_test.go
+++ b/test/e2e/run_volume_test.go
@ -122,6 +122,10 @@ var _ = Describe("Podman run with volumes", func() {
 		session.WaitWithDefaultTimeout()
 		Expect(session).To(ExitWithError(125, `"notmpcopyup" option not supported for "bind" mount types`))

+		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind-propagation=fake", ALPINE, "true"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(ExitWithError(125, `invalid value "bind-propagation=fake"`))
+
 		session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=tmpfs,target=/etc/ssl,notmpcopyup", ALPINE, "ls", "/etc/ssl"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(ExitCleanly())