From ae4dbb60d5e339bfcd5e8f41cdb0f8418e35ce54 Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Fri, 24 Mar 2023 21:34:34 +0000
Subject: [PATCH] Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount
 bind.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
---
 pkg/cri/server/sandbox_run_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go
index a1a26af8f..380e85d02 100644
--- a/pkg/cri/server/sandbox_run_linux.go
+++ b/pkg/cri/server/sandbox_run_linux.go
@@ -133,7 +133,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
 			Source:      c.getResolvPath(id),
 			Destination: resolvConfPath,
 			Type:        "bind",
-			Options:     []string{"rbind", "ro"},
+			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
 		},
 	}))