From 39772f8b50973f41d52b5fbcf4ab0efa1212d0a3 Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <ruediger.pluem@vodafone.com>
Date: Mon, 3 Apr 2023 18:12:08 +0200
Subject: [PATCH] Fix bind mounts of filesystems with nodev, nosuid, noexec
 options set

Currently bind mounts of filesystems with nodev, nosuid, noexec options
set fail in rootless mode if the same options are not set for the bind
mount. For ro filesystems this was resolved by #2570 by remounting again
with roset. Follow the same approach for nodev, nosuid, noexec .

Signed-off-by: Ruediger Pluem <ruediger.pluem@vodafone.com>
---
 libcontainer/rootfs_linux.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 582029288c6..fecb5d44eb1 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -1071,16 +1071,16 @@ func remount(m *configs.Mount, rootfs string, mountFd *int) error {
 		if err == nil {
 			return nil
 		}
-		// Check if the source has ro flag...
+		// Check if the source has ro, nodev, noexec, nosuid flag...
 		var s unix.Statfs_t
 		if err := unix.Statfs(source, &s); err != nil {
 			return &os.PathError{Op: "statfs", Path: source, Err: err}
 		}
-		if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
+		if s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID) == 0 {
 			return err
 		}
-		// ... and retry the mount with ro flag set.
-		flags |= unix.MS_RDONLY
+		// ... and retry the mount with flags found above.
+		flags |= uintptr(s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID))
 		return mount(source, m.Destination, procfd, m.Device, flags, "")
 	})
 }