github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Add noexec nodev and nosuid to sandbox /etc/resolv.conf mount bind.

Browse Source 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
This commit is contained in:
Vinayak Goyal 2023-03-24 21:34:34 +00:00
parent f7f2be7321
commit ae4dbb60d5
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/cri/server/sandbox_run_linux.go
View File

@ -133,7 +133,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
Source: c.getResolvPath(id), Source: c.getResolvPath(id),
Destination: resolvConfPath, Destination: resolvConfPath,
Type: "bind", Type: "bind",
Options: []string{"rbind", "ro"}, Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
}, },
})) }))