mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-10-24 13:44:08 +00:00
runtime: readonly mounts should be readonly bindmount on the host
So that we get protected at the VM boundary not just the guest kernel. Signed-off-by: Peng Tao <bergwolf@hyper.sh>
This commit is contained in:
@@ -470,7 +470,7 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s
|
||||
} else {
|
||||
// These mounts are created in the shared dir
|
||||
mountDest := filepath.Join(hostSharedDir, filename)
|
||||
if err := bindMount(c.ctx, m.Source, mountDest, false, "private"); err != nil {
|
||||
if err := bindMount(c.ctx, m.Source, mountDest, m.ReadOnly, "private"); err != nil {
|
||||
return "", false, err
|
||||
}
|
||||
// Save HostPath mount value into the mount list of the container.
|
||||
@@ -546,22 +546,12 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (
|
||||
continue
|
||||
}
|
||||
|
||||
// Check if mount is readonly, let the agent handle the readonly mount
|
||||
// within the VM.
|
||||
readonly := false
|
||||
for _, flag := range m.Options {
|
||||
if flag == "ro" {
|
||||
readonly = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
sharedDirMount := Mount{
|
||||
Source: guestDest,
|
||||
Destination: m.Destination,
|
||||
Type: m.Type,
|
||||
Options: m.Options,
|
||||
ReadOnly: readonly,
|
||||
ReadOnly: m.ReadOnly,
|
||||
}
|
||||
|
||||
sharedDirMounts[sharedDirMount.Destination] = sharedDirMount
|
||||
|
@@ -160,11 +160,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar {
|
||||
}
|
||||
|
||||
func newMount(m specs.Mount) vc.Mount {
|
||||
readonly := false
|
||||
for _, flag := range m.Options {
|
||||
if flag == "ro" {
|
||||
readonly = true
|
||||
break
|
||||
}
|
||||
}
|
||||
return vc.Mount{
|
||||
Source: m.Source,
|
||||
Destination: m.Destination,
|
||||
Type: m.Type,
|
||||
Options: m.Options,
|
||||
ReadOnly: readonly,
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user