From ae4dbb60d5e339bfcd5e8f41cdb0f8418e35ce54 Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Fri, 24 Mar 2023 21:34:34 +0000 Subject: [PATCH 1/3] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind. Signed-off-by: Vinayak Goyal --- pkg/cri/server/sandbox_run_linux.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go index a1a26af8f..380e85d02 100644 --- a/pkg/cri/server/sandbox_run_linux.go +++ b/pkg/cri/server/sandbox_run_linux.go @@ -133,7 +133,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC Source: c.getResolvPath(id), Destination: resolvConfPath, Type: "bind", - Options: []string{"rbind", "ro"}, + Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"}, }, })) From 990199a021fcbb5330cc3e050e581565f025366e Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Wed, 29 Mar 2023 18:36:01 +0000 Subject: [PATCH 2/3] Test to ensure nosuid,nodev,noexec are set on /etc/reolv.conf mount. Signed-off-by: Vinayak Goyal --- pkg/cri/server/sandbox_run_linux_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go index 9c646e069..70209a45d 100644 --- a/pkg/cri/server/sandbox_run_linux_test.go +++ b/pkg/cri/server/sandbox_run_linux_test.go @@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf assert.NotEqual(t, "", spec.Process.SelinuxLabel) assert.NotEqual(t, "", spec.Linux.MountLabel) } + + assert.Contains(t, spec.Mounts, runtimespec.Mount{ + Source: "/test/root/sandboxes/test-id/resolv.conf", + Destination: resolvConfPath, + Type: "bind", + Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"}, + }) + } return config, imageConfig, specCheck } From ac84bf7c893bcce52e0ba7a44c9e37e02c945d0d Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Thu, 30 Mar 2023 21:52:19 +0000 Subject: [PATCH 3/3] Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind. Signed-off-by: Vinayak Goyal --- pkg/cri/sbserver/podsandbox/sandbox_run_linux.go | 2 +- pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go index 6c0ae002b..462ad6f8c 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go @@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC Source: c.getResolvPath(id), Destination: resolvConfPath, Type: "bind", - Options: []string{"rbind", "ro"}, + Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"}, }, })) diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go index 27996a1a3..4f6340778 100644 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go @@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf assert.NotEqual(t, "", spec.Process.SelinuxLabel) assert.NotEqual(t, "", spec.Linux.MountLabel) } + + assert.Contains(t, spec.Mounts, runtimespec.Mount{ + Source: "/test/root/sandboxes/test-id/resolv.conf", + Destination: resolvConfPath, + Type: "bind", + Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"}, + }) + } return config, imageConfig, specCheck }