From e1fd6be7e8aa5f0a74cb8153ef1ef19d317f8224 Mon Sep 17 00:00:00 2001 From: Gijs Peskens Date: Mon, 10 May 2021 14:56:01 +0000 Subject: [PATCH 1/4] Fix mounts for FreeBSD Signed-off-by: Gijs Peskens --- oci/spec.go | 45 +-------------------------------------- oci/spec_freebsd.go | 40 ++++++++++++++++++++++++++++++++++ oci/spec_linux.go | 52 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 93 insertions(+), 44 deletions(-) create mode 100644 oci/spec_freebsd.go create mode 100644 oci/spec_linux.go diff --git a/oci/spec.go b/oci/spec.go index 035bb7e7d..34d766230 100644 --- a/oci/spec.go +++ b/oci/spec.go @@ -161,50 +161,6 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error { }, }, }, - Mounts: []specs.Mount{ - { - Destination: "/proc", - Type: "proc", - Source: "proc", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/dev", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - { - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, - }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/sys", - Type: "sysfs", - Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "ro"}, - }, - { - Destination: "/run", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - }, Linux: &specs.Linux{ MaskedPaths: []string{ "/proc/acpi", @@ -237,6 +193,7 @@ func populateDefaultUnixSpec(ctx context.Context, s *Spec, id string) error { Namespaces: defaultUnixNamespaces(), }, } + s.Mounts = defaultMounts() return nil } diff --git a/oci/spec_freebsd.go b/oci/spec_freebsd.go new file mode 100644 index 000000000..f89d890ae --- /dev/null +++ b/oci/spec_freebsd.go @@ -0,0 +1,40 @@ +package oci + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +func defaultMounts() []specs.Mount { + return []specs.Mount{ + { + Destination: "/proc", + Type: "procfs", + Source: "proc", + Options: []string{"nosuid", "noexec"}, + }, + { + Destination: "/dev", + Type: "devfs", + Source: "devfs", + Options: []string{}, + }, + { + Destination: "/dev/fd", + Type: "fdescfs", + Source: "fdescfs", + Options: []string{}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "mode=1777"}, + }, + } +} diff --git a/oci/spec_linux.go b/oci/spec_linux.go new file mode 100644 index 000000000..1ac1cc28a --- /dev/null +++ b/oci/spec_linux.go @@ -0,0 +1,52 @@ +package oci + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +func defaultMounts() []specs.Mount { + return []specs.Mount{ + { + Destination: "/proc", + Type: "proc", + Source: "proc", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/dev", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + { + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }, + { + Destination: "/run", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + } +} From de04b32430cc1b26a70641bbeef5a85e194a5c75 Mon Sep 17 00:00:00 2001 From: Gijs Peskens Date: Mon, 10 May 2021 17:20:18 +0200 Subject: [PATCH 2/4] Add copyright header & make sure compilation succeeds on all platforms Signed-off-by: Gijs Peskens --- oci/mounts.go | 70 +++++++++++++++++++++++++++++++++++++++++++ oci/mounts_freebsd.go | 56 ++++++++++++++++++++++++++++++++++ oci/spec_freebsd.go | 40 ------------------------- oci/spec_linux.go | 52 -------------------------------- 4 files changed, 126 insertions(+), 92 deletions(-) create mode 100644 oci/mounts.go create mode 100644 oci/mounts_freebsd.go delete mode 100644 oci/spec_freebsd.go delete mode 100644 oci/spec_linux.go diff --git a/oci/mounts.go b/oci/mounts.go new file mode 100644 index 000000000..1011396bf --- /dev/null +++ b/oci/mounts.go @@ -0,0 +1,70 @@ +// +build !freebsd + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package oci + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +func defaultMounts() []specs.Mount { + return []specs.Mount{ + { + Destination: "/proc", + Type: "proc", + Source: "proc", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/dev", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + { + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }, + { + Destination: "/run", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + } +} diff --git a/oci/mounts_freebsd.go b/oci/mounts_freebsd.go new file mode 100644 index 000000000..529cd399e --- /dev/null +++ b/oci/mounts_freebsd.go @@ -0,0 +1,56 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package oci + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" +) + +func defaultMounts() []specs.Mount { + return []specs.Mount{ + { + Destination: "/proc", + Type: "procfs", + Source: "proc", + Options: []string{"nosuid", "noexec"}, + }, + { + Destination: "/dev", + Type: "devfs", + Source: "devfs", + Options: []string{}, + }, + { + Destination: "/dev/fd", + Type: "fdescfs", + Source: "fdescfs", + Options: []string{}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "mode=1777"}, + }, + } +} diff --git a/oci/spec_freebsd.go b/oci/spec_freebsd.go deleted file mode 100644 index f89d890ae..000000000 --- a/oci/spec_freebsd.go +++ /dev/null @@ -1,40 +0,0 @@ -package oci - -import ( - specs "github.com/opencontainers/runtime-spec/specs-go" -) - -func defaultMounts() []specs.Mount { - return []specs.Mount{ - { - Destination: "/proc", - Type: "procfs", - Source: "proc", - Options: []string{"nosuid", "noexec"}, - }, - { - Destination: "/dev", - Type: "devfs", - Source: "devfs", - Options: []string{}, - }, - { - Destination: "/dev/fd", - Type: "fdescfs", - Source: "fdescfs", - Options: []string{}, - }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "mode=1777"}, - }, - } -} diff --git a/oci/spec_linux.go b/oci/spec_linux.go deleted file mode 100644 index 1ac1cc28a..000000000 --- a/oci/spec_linux.go +++ /dev/null @@ -1,52 +0,0 @@ -package oci - -import ( - specs "github.com/opencontainers/runtime-spec/specs-go" -) - -func defaultMounts() []specs.Mount { - return []specs.Mount{ - { - Destination: "/proc", - Type: "proc", - Source: "proc", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/dev", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - { - Destination: "/dev/pts", - Type: "devpts", - Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, - }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec", "nodev"}, - }, - { - Destination: "/sys", - Type: "sysfs", - Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "ro"}, - }, - { - Destination: "/run", - Type: "tmpfs", - Source: "tmpfs", - Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, - }, - } -} From 1442fee229bb6d536fa29d2a3aefccf5786d036a Mon Sep 17 00:00:00 2001 From: Gijs Peskens Date: Thu, 13 May 2021 21:36:53 +0200 Subject: [PATCH 3/4] Remove mountpoints not commonly mounted on FreeBSD Signed-off-by: Gijs Peskens --- oci/mounts_freebsd.go | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/oci/mounts_freebsd.go b/oci/mounts_freebsd.go index 529cd399e..cde5b94a3 100644 --- a/oci/mounts_freebsd.go +++ b/oci/mounts_freebsd.go @@ -22,12 +22,6 @@ import ( func defaultMounts() []specs.Mount { return []specs.Mount{ - { - Destination: "/proc", - Type: "procfs", - Source: "proc", - Options: []string{"nosuid", "noexec"}, - }, { Destination: "/dev", Type: "devfs", @@ -40,17 +34,5 @@ func defaultMounts() []specs.Mount { Source: "fdescfs", Options: []string{}, }, - { - Destination: "/dev/mqueue", - Type: "mqueue", - Source: "mqueue", - Options: []string{"nosuid", "noexec"}, - }, - { - Destination: "/dev/shm", - Type: "tmpfs", - Source: "shm", - Options: []string{"nosuid", "noexec", "mode=1777"}, - }, } } From a4f97d45da2886eea52b7ea179da8f66e2176975 Mon Sep 17 00:00:00 2001 From: Gijs Peskens Date: Tue, 25 May 2021 09:17:16 +0200 Subject: [PATCH 4/4] Add ruleset=4 option Signed-off-by: Gijs Peskens --- oci/mounts_freebsd.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oci/mounts_freebsd.go b/oci/mounts_freebsd.go index cde5b94a3..42b9d7aff 100644 --- a/oci/mounts_freebsd.go +++ b/oci/mounts_freebsd.go @@ -26,7 +26,7 @@ func defaultMounts() []specs.Mount { Destination: "/dev", Type: "devfs", Source: "devfs", - Options: []string{}, + Options: []string{"ruleset=4"}, }, { Destination: "/dev/fd",