core/mount: add test for getUnprivilegedMountFlags

lukefr09 · k8s-infra-cherrypick-robot · commit ef7a8beb375c · 2026-02-26T10:38:35.000Z
Mounts a tmpfs with MS_NOEXEC, MS_NOATIME, and MS_NODIRATIME and
verifies that getUnprivilegedMountFlags detects all of them. These
three flags were the ones missed by the range-over-indices bug.

Also verifies that flags not present on the mount (MS_NOSUID,
MS_NODEV, MS_RDONLY) are not falsely reported.

Signed-off-by: Luke Hinds &lt;luke@stacklok.com&gt;
diff --git a/core/mount/mount_linux_test.go b/core/mount/mount_linux_test.go
@@ -404,6 +404,50 @@ func TestDoPrepareIDMappedOverlay(t *testing.T) {
 	}
 }
 
+func TestGetUnprivilegedMountFlags(t *testing.T) {
+	testutil.RequiresRoot(t)
+
+	td := t.TempDir()
+	target := filepath.Join(td, "mnt")
+	require.NoError(t, os.Mkdir(target, 0755))
+
+	// Mount a tmpfs with noexec,noatime,nodiratime -- these are the flags
+	// that were previously missed due to iterating over slice indices
+	// instead of values.
+	require.NoError(t, unix.Mount("tmpfs", target, "tmpfs", unix.MS_NOEXEC|unix.MS_NOATIME|unix.MS_NODIRATIME, ""))
+	defer unix.Unmount(target, unix.MNT_DETACH)
+
+	flags, err := getUnprivilegedMountFlags(target)
+	require.NoError(t, err)
+
+	for _, tc := range []struct {
+		flag int
+		name string
+	}{
+		{unix.MS_NOEXEC, "MS_NOEXEC"},
+		{unix.MS_NOATIME, "MS_NOATIME"},
+		{unix.MS_NODIRATIME, "MS_NODIRATIME"},
+	} {
+		if flags&tc.flag != tc.flag {
+			t.Errorf("expected %s (0x%x) to be set in flags 0x%x", tc.name, tc.flag, flags)
+		}
+	}
+
+	// MS_NOSUID and MS_NODEV should NOT be set since we didn't mount with them.
+	for _, tc := range []struct {
+		flag int
+		name string
+	}{
+		{unix.MS_NOSUID, "MS_NOSUID"},
+		{unix.MS_NODEV, "MS_NODEV"},
+		{unix.MS_RDONLY, "MS_RDONLY"},
+	} {
+		if flags&tc.flag != 0 {
+			t.Errorf("expected %s (0x%x) to NOT be set in flags 0x%x", tc.name, tc.flag, flags)
+		}
+	}
+}
+
 func setupMounts(t *testing.T) (target string, mounts []Mount) {
 	dir1 := t.TempDir()
 	dir2 := t.TempDir()
