Merge pull request #8309 from vinayakankugoyal/fixresolv
Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.
This commit is contained in:
Samuel Karp
GitHub
commit
8f756bc8c2
@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
|
||||
Source: c.getResolvPath(id),
|
||||
Destination: resolvConfPath,
|
||||
Type: "bind",
|
||||
Options: []string{"rbind", "ro"},
|
||||
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
|
||||
},
|
||||
}))
|
||||
|
||||
|
||||
@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
|
||||
assert.NotEqual(t, "", spec.Process.SelinuxLabel)
|
||||
assert.NotEqual(t, "", spec.Linux.MountLabel)
|
||||
}
|
||||
|
||||
assert.Contains(t, spec.Mounts, runtimespec.Mount{
|
||||
Source: "/test/root/sandboxes/test-id/resolv.conf",
|
||||
Destination: resolvConfPath,
|
||||
Type: "bind",
|
||||
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
|
||||
})
|
||||
|
||||
}
|
||||
return config, imageConfig, specCheck
|
||||
}
|
||||
|
||||
@ -133,7 +133,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
|
||||
Source: c.getResolvPath(id),
|
||||
Destination: resolvConfPath,
|
||||
Type: "bind",
|
||||
Options: []string{"rbind", "ro"},
|
||||
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
|
||||
},
|
||||
}))
|
||||
|
||||
|
||||
@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
|
||||
assert.NotEqual(t, "", spec.Process.SelinuxLabel)
|
||||
assert.NotEqual(t, "", spec.Linux.MountLabel)
|
||||
}
|
||||
|
||||
assert.Contains(t, spec.Mounts, runtimespec.Mount{
|
||||
Source: "/test/root/sandboxes/test-id/resolv.conf",
|
||||
Destination: resolvConfPath,
|
||||
Type: "bind",
|
||||
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
|
||||
})
|
||||
|
||||
}
|
||||
return config, imageConfig, specCheck
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user