Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
2023-03-30 21:52:19 +00:00 · 2023-03-30 21:52:19 +00:00 · ac84bf7c89
commit ac84bf7c89
parent 990199a021
2 changed files with 9 additions and 1 deletions
--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 			Source:      c.getResolvPath(id),
 			Destination: resolvConfPath,
 			Type:        "bind",
-			Options:     []string{"rbind", "ro"},
+			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
 		},
 	}))

--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
 			assert.NotEqual(t, "", spec.Process.SelinuxLabel)
 			assert.NotEqual(t, "", spec.Linux.MountLabel)
 		}
+
+		assert.Contains(t, spec.Mounts, runtimespec.Mount{
+			Source:      "/test/root/sandboxes/test-id/resolv.conf",
+			Destination: resolvConfPath,
+			Type:        "bind",
+			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
+		})
+
 	}
 	return config, imageConfig, specCheck
 }