From 663ee91eec01706008046c1df2c307716f9288db Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 22 Aug 2018 17:45:44 +0200 Subject: [PATCH] Fix Mount Propagation Default mount propagation inside of containes should be private Signed-off-by: Daniel J Walsh Closes: #1305 Approved by: mheon --- libpod/container_internal_linux.go | 2 +- pkg/secrets/secrets.go | 4 ++-- pkg/spec/createconfig.go | 4 ++-- pkg/spec/spec.go | 20 ++++++-------------- test/e2e/run_test.go | 30 ++++++++++++++++++++++++++++++ 5 files changed, 41 insertions(+), 19 deletions(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index ba02c9f5a2..c0912dc0db 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -107,7 +107,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { Type: "bind", Source: srcPath, Destination: dstPath, - Options: []string{"rw", "bind"}, + Options: []string{"rw", "bind", "private"}, } if !MountExists(g.Mounts(), dstPath) { g.AddMount(newMount) diff --git a/pkg/secrets/secrets.go b/pkg/secrets/secrets.go index 6f38f1fd50..be5642ebaa 100644 --- a/pkg/secrets/secrets.go +++ b/pkg/secrets/secrets.go @@ -243,7 +243,7 @@ func addSecretsFromMountsFile(filePath, mountLabel, containerWorkingDir, mountPr Source: filepath.Join(mountPrefix, ctrDir), Destination: ctrDir, Type: "bind", - Options: []string{"bind"}, + Options: []string{"bind", "private"}, } mounts = append(mounts, m) @@ -278,7 +278,7 @@ func addFIPSModeSecret(mounts *[]rspec.Mount, containerWorkingDir string) error Source: ctrDirOnHost, Destination: secretsDir, Type: "bind", - Options: []string{"bind"}, + Options: []string{"bind", "private"}, } *mounts = append(*mounts, m) } diff --git a/pkg/spec/createconfig.go b/pkg/spec/createconfig.go index 41030bf264..c7eaeb9f7e 100644 --- a/pkg/spec/createconfig.go +++ b/pkg/spec/createconfig.go @@ -214,7 +214,7 @@ func (c *CreateConfig) GetVolumeMounts(specMounts []spec.Mount) ([]spec.Mount, e Destination: vol, Type: string(TypeTmpfs), Source: string(TypeTmpfs), - Options: []string{"rw", "noexec", "nosuid", "nodev", "tmpcopyup"}, + Options: []string{"private", "rw", "noexec", "nosuid", "nodev", "tmpcopyup"}, } m = append(m, mount) } @@ -272,7 +272,7 @@ func (c *CreateConfig) GetTmpfsMounts() []spec.Mount { var m []spec.Mount for _, i := range c.Tmpfs { // Default options if nothing passed - options := []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} + options := []string{"private", "rw", "noexec", "nosuid", "nodev", "size=65536k"} spliti := strings.Split(i, ":") destPath := spliti[0] if len(spliti) > 1 { diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 255b700451..a915c305f7 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -41,7 +41,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys", Type: "sysfs", Source: "sysfs", - Options: []string{"nosuid", "noexec", "nodev", "rw"}, + Options: []string{"private", "nosuid", "noexec", "nodev", "rw"}, } g.AddMount(sysMnt) } else if !canMountSys { @@ -65,7 +65,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/dev/pts", Type: "devpts", Source: "devpts", - Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, + Options: []string{"private", "nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620"}, } g.AddMount(devPts) } @@ -95,7 +95,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Destination: "/sys/fs/cgroup", Type: "cgroup", Source: "cgroup", - Options: []string{"nosuid", "noexec", "nodev", "relatime", cgroupPerm}, + Options: []string{"private", "nosuid", "noexec", "nodev", "relatime", cgroupPerm}, } g.AddMount(cgroupMnt) } @@ -223,7 +223,7 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint for _, i := range config.Tmpfs { // Default options if nothing passed - options := []string{"rw", "noexec", "nosuid", "nodev", "size=65536k"} + options := []string{"rw", "private", "noexec", "nosuid", "nodev", "size=65536k"} spliti := strings.SplitN(i, ":", 2) if len(spliti) > 1 { if _, _, err := mount.ParseTmpfsOptions(spliti[1]); err != nil { @@ -303,17 +303,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint return nil, errors.Wrapf(err, "error getting volume mounts") } configSpec.Mounts = append(configSpec.Mounts, mounts...) - for _, mount := range configSpec.Mounts { - for _, opt := range mount.Options { - switch opt { - case "private", "rprivate", "slave", "rslave", "shared", "rshared": - if err := g.SetLinuxRootPropagation(opt); err != nil { - return nil, errors.Wrapf(err, "error setting root propagation for %q", mount.Destination) - } - } - } + if err := g.SetLinuxRootPropagation("shared"); err != nil { + return nil, errors.Wrapf(err, "failed to set propagation to rslave") } - if canAddResources { // BLOCK IO blkio, err := config.CreateBlockIO() diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 7bba1e31ef..e437d47d3f 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -566,4 +566,34 @@ USER mail` session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) }) + + It("podman run findmnt nothing shared", func() { + vol1 := filepath.Join(podmanTest.TempDir, "vol-test1") + err := os.MkdirAll(vol1, 0755) + Expect(err).To(BeNil()) + vol2 := filepath.Join(podmanTest.TempDir, "vol-test2") + err = os.MkdirAll(vol2, 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"run", "--volume", vol1 + ":/myvol1:z", "--volume", vol2 + ":/myvol2:z", fedoraMinimal, "findmnt", "-o", "TARGET,PROPAGATION"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("shared") + Expect(match).Should(BeFalse()) + }) + + It("podman run findmnt shared", func() { + vol1 := filepath.Join(podmanTest.TempDir, "vol-test1") + err := os.MkdirAll(vol1, 0755) + Expect(err).To(BeNil()) + vol2 := filepath.Join(podmanTest.TempDir, "vol-test2") + err = os.MkdirAll(vol2, 0755) + Expect(err).To(BeNil()) + + session := podmanTest.Podman([]string{"run", "--volume", vol1 + ":/myvol1:z", "--volume", vol2 + ":/myvol2:shared,z", fedoraMinimal, "findmnt", "-o", "TARGET,PROPAGATION"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ := session.GrepString("shared") + Expect(match).Should(BeTrue()) + }) })