opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 16:47:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

libpod: enforce noexec,nosuid,nodev for /dev/shm

Browse Source 
these mount flags are already used for the /dev/shm mount on the host,
but they are not set for the bind mount itself.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2022-02-02 10:03:13 +01:00
parent 6f491e21aa
commit c4dfd004ad
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libpod/container_internal_linux.go
View File

@ -510,6 +510,9 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
if c.IsReadOnly() && dstPath != "/dev/shm" {
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
}
if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
}
if !MountExists(g.Mounts(), dstPath) {
g.AddMount(newMount)
} else {
@ -1570,6 +1573,9 @@ func (c *Container) restore(ctx context.Context, options ContainerCheckpointOpti
if c.IsReadOnly() && dstPath != "/dev/shm" {
newMount.Options = append(newMount.Options, "ro", "nosuid", "noexec", "nodev")
}
if dstPath == "/dev/shm" && c.state.BindMounts["/dev/shm"] == c.config.ShmDir {
newMount.Options = append(newMount.Options, "nosuid", "noexec", "nodev")
}
if !MountExists(g.Mounts(), dstPath) {
g.AddMount(newMount)
}