Skip to content

Commit

Permalink
Fix bind mounts of filesystems with nodev, nosuid, noexec options set
Browse files Browse the repository at this point in the history
Currently bind mounts of filesystems with nodev, nosuid, noexec options
set fail in rootless mode if the same options are not set for the bind
mount. For ro filesystems this was resolved by #2570 by remounting again
with roset. Follow the same approach for nodev, nosuid, noexec .

Signed-off-by: Ruediger Pluem <[email protected]>
  • Loading branch information
rpluem-vf committed Apr 3, 2023
1 parent e6c1d00 commit 4f72891
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions libcontainer/rootfs_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -1071,16 +1071,16 @@ func remount(m *configs.Mount, rootfs string, mountFd *int) error {
if err == nil {
return nil
}
// Check if the source has ro flag...
// Check if the source has ro, nodev, noexec, nosuid flag...
var s unix.Statfs_t
if err := unix.Statfs(source, &s); err != nil {
return &os.PathError{Op: "statfs", Path: source, Err: err}
}
if s.Flags&unix.MS_RDONLY != unix.MS_RDONLY {
if s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID) == 0 {
return err
}
// ... and retry the mount with ro flag set.
flags |= unix.MS_RDONLY
// ... and retry the mount with flags found above.
flags |= uintptr(s.Flags&(unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID))
return mount(source, m.Destination, procfd, m.Device, flags, "")
})
}
Expand Down

0 comments on commit 4f72891

Please sign in to comment.