run_oci: verify/restrict mount options for mounts |
||||
Issue descriptionContext: https://chromium-review.googlesource.com/c/431318/ 1) We should mount OCI-required filesystems by default if they're not specified (/proc, /sys) 2) If those filesystems are specified, we should restrict the available mount options. e.g. we should not allow sysfs to be mounted without (nodev, noexec, nosuid).
,
Mar 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/fcc5d42bc64027fa468f0cdb45e3c5269856b007 commit fcc5d42bc64027fa468f0cdb45e3c5269856b007 Author: Stephen Barber <smbarber@chromium.org> Date: Fri Mar 10 11:09:01 2017 container_utils: don't mount sysfs by default The OCI spec confusingly says that certain filesystems must be "made available" in containers, but it appears the onus is still on the container's config.json to say whether or not it wants those filesystems. However, to enforce a bare minimum of sanity, we will sanitize the mount options for the sysfs and procfs mounts if they are specified in the config. BUG= chromium:698104 TEST=container starts when sysfs is a mount in config.json CQ-DEPEND=CL:449057 Change-Id: I091534f26aef75419c788851722d30568ba7aa23 Reviewed-on: https://chromium-review.googlesource.com/431318 Commit-Ready: Stephen Barber <smbarber@chromium.org> Tested-by: Stephen Barber <smbarber@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/fcc5d42bc64027fa468f0cdb45e3c5269856b007/container_utils/run_oci.cc
,
Jul 5 2017
,
Nov 18 2017
,
May 9 2018
|
||||
►
Sign in to add a comment |
||||
Comment 1 by bugdroid1@chromium.org
, Mar 10 2017