runtime: readonly mounts should be readonly bindmount on the host

bergwolf · egernst · commit 509eb6f850c0 · 2020-11-05T15:18:16.000-08:00
So that we get protected at the VM boundary not just the guest kernel.

Signed-off-by: Peng Tao &lt;bergwolf@hyper.sh&gt;
diff --git a/virtcontainers/container.go b/virtcontainers/container.go
@@ -481,7 +481,7 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s
 	} else {
 		// These mounts are created in the shared dir
 		mountDest := filepath.Join(hostSharedDir, filename)
-		if err := bindMount(c.ctx, m.Source, mountDest, false, "private"); err != nil {
+		if err := bindMount(c.ctx, m.Source, mountDest, m.ReadOnly, "private"); err != nil {
 			return "", false, err
 		}
 		// Save HostPath mount value into the mount list of the container.
@@ -557,22 +557,12 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (
 			continue
 		}
 
-		// Check if mount is readonly, let the agent handle the readonly mount
-		// within the VM.
-		readonly := false
-		for _, flag := range m.Options {
-			if flag == "ro" {
-				readonly = true
-				break
-			}
-		}
-
 		sharedDirMount := Mount{
 			Source:      guestDest,
 			Destination: m.Destination,
 			Type:        m.Type,
 			Options:     m.Options,
-			ReadOnly:    readonly,
+			ReadOnly:    m.ReadOnly,
 		}
 
 		sharedDirMounts[sharedDirMount.Destination] = sharedDirMount
diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -165,11 +165,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar {
 }
 
 func newMount(m specs.Mount) vc.Mount {
+	readonly := false
+	for _, flag := range m.Options {
+		if flag == "ro" {
+			readonly = true
+			break
+		}
+	}
 	return vc.Mount{
 		Source:      m.Source,
 		Destination: m.Destination,
 		Type:        m.Type,
 		Options:     m.Options,
+		ReadOnly:    readonly,
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -165,11 +165,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar {`
`165`	`165`	`}`
`166`	`166`
`167`	`167`	`func newMount(m specs.Mount) vc.Mount {`
	`168`	`+ readonly := false`
	`169`	`+ for _, flag := range m.Options {`
	`170`	`+ if flag == "ro" {`
	`171`	`+ readonly = true`
	`172`	`+ break`
	`173`	`+ }`
	`174`	`+ }`
`168`	`175`	`return vc.Mount{`
`169`	`176`	`Source: m.Source,`
`170`	`177`	`Destination: m.Destination,`
`171`	`178`	`Type: m.Type,`
`172`	`179`	`Options: m.Options,`
	`180`	`+ ReadOnly: readonly,`
`173`	`181`	`}`
`174`	`182`	`}`
`175`	`183`