github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #8309 from vinayakankugoyal/fixresolv

Browse Source 
Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.
This commit is contained in:
Samuel Karp 2023-03-30 17:34:08 -07:00 committed by GitHub
commit 8f756bc8c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
View File

@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
Source: c.getResolvPath(id), Source: c.getResolvPath(id),
Destination: resolvConfPath, Destination: resolvConfPath,
Type: "bind", Type: "bind",
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
}, },
})) }))

8
pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
View File

@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
assert.NotEqual(t, "", spec.Process.SelinuxLabel) assert.NotEqual(t, "", spec.Process.SelinuxLabel)
assert.NotEqual(t, "", spec.Linux.MountLabel) assert.NotEqual(t, "", spec.Linux.MountLabel)
} }
assert.Contains(t, spec.Mounts, runtimespec.Mount{
Source: "/test/root/sandboxes/test-id/resolv.conf",
Destination: resolvConfPath,
Type: "bind",
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
})
} }
return config, imageConfig, specCheck return config, imageConfig, specCheck
} }

2
pkg/cri/server/sandbox_run_linux.go
View File

@ -133,7 +133,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
Source: c.getResolvPath(id), Source: c.getResolvPath(id),
Destination: resolvConfPath, Destination: resolvConfPath,
Type: "bind", Type: "bind",
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
}, },
})) }))

8
pkg/cri/server/sandbox_run_linux_test.go
View File

@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
assert.NotEqual(t, "", spec.Process.SelinuxLabel) assert.NotEqual(t, "", spec.Process.SelinuxLabel)
assert.NotEqual(t, "", spec.Linux.MountLabel) assert.NotEqual(t, "", spec.Linux.MountLabel)
} }
assert.Contains(t, spec.Mounts, runtimespec.Mount{
Source: "/test/root/sandboxes/test-id/resolv.conf",
Destination: resolvConfPath,
Type: "bind",
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
})
} }
return config, imageConfig, specCheck return config, imageConfig, specCheck
} }