ensure theat read only paths work properly.

2024-06-01 20:36:12 +02:00 · 2021-08-21 18:39:18 +09:00 · 2021-08-21 18:39:18 +09:00 · 5ba2ee67c9
parent 9acc899239
commit 5ba2ee67c9
3 changed files with 20 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -47,7 +47,7 @@ youki is not at the practical stage yet. However, it is getting closer to practi
 |    Seccomp     |             Filtering system calls              |                     WIP on [#25](https://github.com/containers/youki/issues/25)                     |
 |     Hooks      | Add custom processing during container creation |                                                  ✅                                                  |
 |    Rootless    |   Running a container without root privileges   | It works, but cgroups isn't supported. WIP on [#77](https://github.com/containers/youki/issues/77)  |
-| OCI Compliance |        Compliance with OCI Runtime Spec         |                                   37 out of 57 test cases passing                                   |
+| OCI Compliance |        Compliance with OCI Runtime Spec         |                                   38 out of 57 test cases passing                                   |

 # Getting Started

--- a/integration_test.sh
+++ b/integration_test.sh
@ -39,7 +39,7 @@ test_cases=(
  # "linux_ns_path/linux_ns_path.t"
  # "linux_ns_path_type/linux_ns_path_type.t"
  # "linux_process_apparmor_profile/linux_process_apparmor_profile.t"
-  # "linux_readonly_paths/linux_readonly_paths.t"
+  "linux_readonly_paths/linux_readonly_paths.t"
  # "linux_rootfs_propagation/linux_rootfs_propagation.t"
  # "linux_seccomp/linux_seccomp.t"
  "linux_sysctl/linux_sysctl.t"
--- a/src/process/init.rs
+++ b/src/process/init.rs
@ -311,18 +311,16 @@ fn sysctl(kernel_params: &HashMap<String, String>) -> Result<()> {
    Ok(())
 }

+// make a read only path
+// The first time we bind mount, other flags are ignored,
+// so we need to mount it once and then remount it with the necessary flags specified.
+// https://man7.org/linux/man-pages/man2/mount.2.html
 fn readonly_path(path: &str) -> Result<()> {
    match nix_mount::<str, str, str, str>(
        Some(path),
        path,
        None::<&str>,
-        MsFlags::MS_BIND
-            | MsFlags::MS_REC
-            | MsFlags::MS_NOSUID
-            | MsFlags::MS_NODEV
-            | MsFlags::MS_NOEXEC
-            | MsFlags::MS_BIND
-            | MsFlags::MS_RDONLY,
+        MsFlags::MS_BIND | MsFlags::MS_REC,
        None::<&str>,
    ) {
        // ignore error if path is not exist.
@ -333,6 +331,19 @@ fn readonly_path(path: &str) -> Result<()> {
        Err(err) => bail!(err),
        Ok(_) => {}
    }
+
+    nix_mount::<str, str, str, str>(
+        Some(path),
+        path,
+        None::<&str>,
+        MsFlags::MS_NOSUID
+            | MsFlags::MS_NODEV
+            | MsFlags::MS_NOEXEC
+            | MsFlags::MS_BIND
+            | MsFlags::MS_REMOUNT
+            | MsFlags::MS_RDONLY,
+        None::<&str>,
+    )?;
    log::debug!("readonly path {:?} mounted", path);
    Ok(())
 }