@@ -404,6 +404,50 @@ func TestDoPrepareIDMappedOverlay(t *testing.T) {
404404 }
405405}
406406
407+ func TestGetUnprivilegedMountFlags (t * testing.T ) {
408+ testutil .RequiresRoot (t )
409+
410+ td := t .TempDir ()
411+ target := filepath .Join (td , "mnt" )
412+ require .NoError (t , os .Mkdir (target , 0755 ))
413+
414+ // Mount a tmpfs with noexec,noatime,nodiratime -- these are the flags
415+ // that were previously missed due to iterating over slice indices
416+ // instead of values.
417+ require .NoError (t , unix .Mount ("tmpfs" , target , "tmpfs" , unix .MS_NOEXEC | unix .MS_NOATIME | unix .MS_NODIRATIME , "" ))
418+ defer unix .Unmount (target , unix .MNT_DETACH )
419+
420+ flags , err := getUnprivilegedMountFlags (target )
421+ require .NoError (t , err )
422+
423+ for _ , tc := range []struct {
424+ flag int
425+ name string
426+ }{
427+ {unix .MS_NOEXEC , "MS_NOEXEC" },
428+ {unix .MS_NOATIME , "MS_NOATIME" },
429+ {unix .MS_NODIRATIME , "MS_NODIRATIME" },
430+ } {
431+ if flags & tc .flag != tc .flag {
432+ t .Errorf ("expected %s (0x%x) to be set in flags 0x%x" , tc .name , tc .flag , flags )
433+ }
434+ }
435+
436+ // MS_NOSUID and MS_NODEV should NOT be set since we didn't mount with them.
437+ for _ , tc := range []struct {
438+ flag int
439+ name string
440+ }{
441+ {unix .MS_NOSUID , "MS_NOSUID" },
442+ {unix .MS_NODEV , "MS_NODEV" },
443+ {unix .MS_RDONLY , "MS_RDONLY" },
444+ } {
445+ if flags & tc .flag != 0 {
446+ t .Errorf ("expected %s (0x%x) to NOT be set in flags 0x%x" , tc .name , tc .flag , flags )
447+ }
448+ }
449+ }
450+
407451func setupMounts (t * testing.T ) (target string , mounts []Mount ) {
408452 dir1 := t .TempDir ()
409453 dir2 := t .TempDir ()
0 commit comments