Add default mount options to pass to drivers

I believe we should be running container images mounted with nodev by default. This would eliminate the disk of a device sneaking into the container without being on the approved list. This would give us the same or potentially additional security over the device cgroup. It would be nice if this could be passed in on an image by image basis. So users could also specify if they want nosuid images. Signed-off-by: Daniel J Walsh <[email protected]>
containers · May 14, 2018 · 22c34e2 · 22c34e2
1 parent f382d39
commit 22c34e2
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/docs/containers-storage.conf.5.md b/docs/containers-storage.conf.5.md
@@ -56,6 +56,9 @@ The `storage.options` table supports the following options:
   old, the driver is not supported.  But for kernels that have had the drivers backported, this flag
   allows users to override the checks
 
+**mount_options**=""
+  Default options to be used to mount container images.  Suggested value "nodev".
+
 # HISTORY
 May 2017, Originally compiled by Dan Walsh <[email protected]>
 Format copied from crio.conf man page created by Aleksa Sarai <[email protected]>
diff --git a/drivers/overlay/overlay.go b/drivers/overlay/overlay.go
@@ -84,6 +84,7 @@ type overlayOptions struct {
 	overrideKernelCheck bool
 	imageStores         []string
 	quota               quota.Quota
+	mountOptions        string
 }
 
 // Driver contains information about the home directory and the list of active mounts that are created using this driver.
@@ -203,6 +204,8 @@ func parseOptions(options []string) (*overlayOptions, error) {
 			if err != nil {
 				return nil, err
 			}
+		case ".mountoptions", "overlay.mountoptions", "overlay2.mountoptions":
+			o.mountOptions = val
 		case ".size", "overlay.size", "overlay2.size":
 			logrus.Debugf("overlay: size=%s", val)
 			size, err := units.RAMInBytes(val)
@@ -666,6 +669,9 @@ func (d *Driver) Get(id, mountLabel string) (_ string, retErr error) {
 	if len(mountData) > pageSize {
 		//FIXME: We need to figure out to get this to work with additional stores
 		opts = fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", strings.Join(relLowers, ":"), path.Join(id, "diff"), path.Join(id, "work"))
+		if d.options.mountOptions != "" {
+			opts = fmt.Sprintf("%s,%s", d.options.mountOptions, opts)
+		}
 		mountData = label.FormatMountLabel(opts, mountLabel)
 		if len(mountData) > pageSize {
 			return "", fmt.Errorf("cannot mount layer, mount label too large %d", len(mountData))

diff --git a/storage.conf b/storage.conf
@@ -24,6 +24,9 @@ size = ""
 # OverrideKernelCheck tells the driver to ignore kernel checks based on kernel version
 override_kernel_check = "false"
 
+# MountOptions tells the driver to mount images with the mount flag
+mount_options = "nodev"
+
 # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
 # a container, to UIDs/GIDs as they should appear outside of the container, and
 # the length of the range of UIDs/GIDs.  Additional mapped sets can be listed