Fix bind mounts of filesystems with nodev, nosuid, noexec options set

Currently bind mounts of filesystems with nodev, nosuid, noexec options set fail in rootless mode if the same options are not set for the bind mount. For ro filesystems this was resolved by #2570 by remounting again with roset. Follow the same approach for nodev, nosuid, noexec . Signed-off-by: Ruediger Pluem <[email protected]>
opencontainers · Apr 3, 2023 · 39772f8 · 39772f8
1 parent 12f98c0
commit 39772f8
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
@@ -1071,16 +1071,16 @@ func remount(m *configs.Mount, rootfs string, mountFd *int) error {
 		if err == nil {
 			return nil
 		}
-		// Check if the source has ro flag...
+		// Check if the source has ro, nodev, noexec, nosuid flag...
 		var s unix.Statfs_t
 		if err := unix.Statfs(source, &s); err != nil {
 			return &os.PathError{Op: "statfs", Path: source, Err: err}
 		}
-		if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
+		if s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID) == 0 {
 			return err
 		}
-		// ... and retry the mount with ro flag set.
-		flags |= unix.MS_RDONLY
+		// ... and retry the mount with flags found above.
+		flags |= uintptr(s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID))
 		return mount(source, m.Destination, procfd, m.Device, flags, "")
 	})
 }