core/mount: fix getUnprivilegedMountFlags iterating over indices instead of values#12941
Conversation
…ead of values The loop `for flag := range unprivilegedFlags` iterates over slice indices (0,1,2,3,4,5,6) rather than the actual flag values (MS_RDONLY, MS_NODEV, etc). This was a porting error from moby/moby where the data structure was a map (where `for k := range m` yields keys/values). As a result, MS_NOEXEC, MS_NOATIME, MS_RELATIME, and MS_NODIRATIME are never detected or preserved. In user namespaces, this causes bind-mount remounts to fail with EPERM when any of these flags are locked on the parent mount, because the kernel requires all CL_UNPRIVILEGED locked flags to be preserved during remount. MS_RDONLY (0x1), MS_NOSUID (0x2), and MS_NODEV (0x4) happened to work by coincidence because their values equal low index numbers. Fix by using `for _, flag := range` to iterate over values. Signed-off-by: Luke Hinds <[email protected]>
Mounts a tmpfs with MS_NOEXEC, MS_NOATIME, and MS_NODIRATIME and verifies that getUnprivilegedMountFlags detects all of them. These three flags were the ones missed by the range-over-indices bug. Also verifies that flags not present on the mount (MS_NOSUID, MS_NODEV, MS_RDONLY) are not falsely reported. Signed-off-by: Luke Hinds <[email protected]>
|
@lukefr09 I'm pretty sure you could've reopened the other PR |
I deleted the fork repo by accident which killed the source branch so GitHub wouldn't let me reopen without it. Sorry for the duplicate! Luke |
AkihiroSuda
added
cherry-pick/2.1.x
|
/cherry-pick release/2.1 |
|
@AkihiroSuda: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
github-project-automation
Bot
moved this from Needs Triage
to Review In Progress
in Pull Request Review
github-project-automation
Bot
moved this from Review In Progress
to Done
in Pull Request Review
|
@AkihiroSuda: new pull request created: #12943 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@AkihiroSuda: new pull request created: #12944 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
austinvazquez
added
cherry-picked/2.1.x
6 participants
Resubmission of #12939 — accidentally closed when cleaning up unrelated branches. Same fix, already reviewed by @dcantah.
Original description:
getUnprivilegedMountFlagsusesfor flag := range unprivilegedFlagswhich iterates over slice indices (0–6) instead of the actual flag values (MS_RDONLY,MS_NODEV, etc.)map[uint64]string. When converted to[]int, the loop was not updated tofor _, flag := range.MS_NOEXEC,MS_NOATIME,MS_RELATIME, andMS_NODIRATIMEare never detected or preserved during bind-mount remounts in user namespacesfor flag := rangetofor _, flag := rangeto iterate over valuesgetUnprivilegedMountFlags