From a5d1332e8fd2b44cd4d00823d38f8e0c8fcf6c5d Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Mon, 7 May 2018 15:13:14 -0700
Subject: [PATCH] Explicitly set `rw` for privileged container.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 pkg/server/container_create.go      | 2 +-
 pkg/server/container_create_test.go | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index cb5b1f9a5..770f2edb2 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -523,7 +523,7 @@ func clearReadOnly(m *runtimespec.Mount) {
 			opt = append(opt, o)
 		}
 	}
-	m.Options = opt
+	m.Options = append(opt, "rw")
 }
 
 // addDevices set device mapping without privilege.
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index a0a3871ff..d7bde6daa 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -627,14 +627,14 @@ func TestPrivilegedBindMount(t *testing.T) {
 		}
 		spec := g.Spec()
 		if test.expectedSysFSRO {
-			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, nil)
+			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"ro"}, []string{"rw"})
 		} else {
-			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", nil, []string{"ro"})
+			checkMount(t, spec.Mounts, "sysfs", "/sys", "sysfs", []string{"rw"}, []string{"ro"})
 		}
 		if test.expectedCgroupFSRO {
-			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, nil)
+			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"ro"}, []string{"rw"})
 		} else {
-			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", nil, []string{"ro"})
+			checkMount(t, spec.Mounts, "cgroup", "/sys/fs/cgroup", "cgroup", []string{"rw"}, []string{"ro"})
 		}
 	}
 }