mirror of
				https://github.com/kata-containers/kata-containers.git
				synced 2025-10-24 21:51:37 +00:00 
			
		
		
		
	runtime: readonly mounts should be readonly bindmount on the host
So that we get protected at the VM boundary not just the guest kernel. Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This commit is contained in:
		| @@ -470,7 +470,7 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s | |||||||
| 	} else { | 	} else { | ||||||
| 		// These mounts are created in the shared dir | 		// These mounts are created in the shared dir | ||||||
| 		mountDest := filepath.Join(hostSharedDir, filename) | 		mountDest := filepath.Join(hostSharedDir, filename) | ||||||
| 		if err := bindMount(c.ctx, m.Source, mountDest, false, "private"); err != nil { | 		if err := bindMount(c.ctx, m.Source, mountDest, m.ReadOnly, "private"); err != nil { | ||||||
| 			return "", false, err | 			return "", false, err | ||||||
| 		} | 		} | ||||||
| 		// Save HostPath mount value into the mount list of the container. | 		// Save HostPath mount value into the mount list of the container. | ||||||
| @@ -546,22 +546,12 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) ( | |||||||
| 			continue | 			continue | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		// Check if mount is readonly, let the agent handle the readonly mount |  | ||||||
| 		// within the VM. |  | ||||||
| 		readonly := false |  | ||||||
| 		for _, flag := range m.Options { |  | ||||||
| 			if flag == "ro" { |  | ||||||
| 				readonly = true |  | ||||||
| 				break |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
|  |  | ||||||
| 		sharedDirMount := Mount{ | 		sharedDirMount := Mount{ | ||||||
| 			Source:      guestDest, | 			Source:      guestDest, | ||||||
| 			Destination: m.Destination, | 			Destination: m.Destination, | ||||||
| 			Type:        m.Type, | 			Type:        m.Type, | ||||||
| 			Options:     m.Options, | 			Options:     m.Options, | ||||||
| 			ReadOnly:    readonly, | 			ReadOnly:    m.ReadOnly, | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		sharedDirMounts[sharedDirMount.Destination] = sharedDirMount | 		sharedDirMounts[sharedDirMount.Destination] = sharedDirMount | ||||||
|   | |||||||
| @@ -160,11 +160,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar { | |||||||
| } | } | ||||||
|  |  | ||||||
| func newMount(m specs.Mount) vc.Mount { | func newMount(m specs.Mount) vc.Mount { | ||||||
|  | 	readonly := false | ||||||
|  | 	for _, flag := range m.Options { | ||||||
|  | 		if flag == "ro" { | ||||||
|  | 			readonly = true | ||||||
|  | 			break | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
| 	return vc.Mount{ | 	return vc.Mount{ | ||||||
| 		Source:      m.Source, | 		Source:      m.Source, | ||||||
| 		Destination: m.Destination, | 		Destination: m.Destination, | ||||||
| 		Type:        m.Type, | 		Type:        m.Type, | ||||||
| 		Options:     m.Options, | 		Options:     m.Options, | ||||||
|  | 		ReadOnly:    readonly, | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user