Skip to content

Commit ac84bf7

Browse files
vinayakankugoyalvinayakankugoyal
committed
Update sbserver to add noexec nodev and nosuid to /etc/resolv.conf mount bind.
Signed-off-by: Vinayak Goyal <[email protected]>
1 parent 990199a commit ac84bf7

2 files changed

Lines changed: 9 additions & 1 deletion

File tree

pkg/cri/sbserver/podsandbox/sandbox_run_linux.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
115115
Source: c.getResolvPath(id),
116116
Destination: resolvConfPath,
117117
Type: "bind",
118-
Options: []string{"rbind", "ro"},
118+
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
119119
},
120120
}))
121121

pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
9191
assert.NotEqual(t, "", spec.Process.SelinuxLabel)
9292
assert.NotEqual(t, "", spec.Linux.MountLabel)
9393
}
94+
95+
assert.Contains(t, spec.Mounts, runtimespec.Mount{
96+
Source: "/test/root/sandboxes/test-id/resolv.conf",
97+
Destination: resolvConfPath,
98+
Type: "bind",
99+
Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
100+
})
101+
94102
}
95103
return config, imageConfig, specCheck
96104
}

0 commit comments

Comments
 (0)