github/containerd
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind.

Browse Source 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
This commit is contained in:
Vinayak Goyal
2023-03-30 21:52:19 +00:00
parent 990199a021
commit ac84bf7c89
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
View File

@@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
Source: c.getResolvPath(id), Source: c.getResolvPath(id),
Destination: resolvConfPath, Destination: resolvConfPath,
Type: "bind", Type: "bind",
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
}, },
})) }))

8
pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
View File

@@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
assert.NotEqual(t, "", spec.Process.SelinuxLabel) assert.NotEqual(t, "", spec.Process.SelinuxLabel)
assert.NotEqual(t, "", spec.Linux.MountLabel) assert.NotEqual(t, "", spec.Linux.MountLabel)
} }
assert.Contains(t, spec.Mounts, runtimespec.Mount{
Source: "/test/root/sandboxes/test-id/resolv.conf",
Destination: resolvConfPath,
Type: "bind",
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
})
} }
return config, imageConfig, specCheck return config, imageConfig, specCheck
} }