mirror of
https://github.com/containers/youki
synced 2024-06-01 20:36:12 +02:00
ensure theat read only paths work properly.
This commit is contained in:
parent
9acc899239
commit
5ba2ee67c9
|
@ -47,7 +47,7 @@ youki is not at the practical stage yet. However, it is getting closer to practi
|
|||
| Seccomp | Filtering system calls | WIP on [#25](https://github.com/containers/youki/issues/25) |
|
||||
| Hooks | Add custom processing during container creation | ✅ |
|
||||
| Rootless | Running a container without root privileges | It works, but cgroups isn't supported. WIP on [#77](https://github.com/containers/youki/issues/77) |
|
||||
| OCI Compliance | Compliance with OCI Runtime Spec | 37 out of 57 test cases passing |
|
||||
| OCI Compliance | Compliance with OCI Runtime Spec | 38 out of 57 test cases passing |
|
||||
|
||||
# Getting Started
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ test_cases=(
|
|||
# "linux_ns_path/linux_ns_path.t"
|
||||
# "linux_ns_path_type/linux_ns_path_type.t"
|
||||
# "linux_process_apparmor_profile/linux_process_apparmor_profile.t"
|
||||
# "linux_readonly_paths/linux_readonly_paths.t"
|
||||
"linux_readonly_paths/linux_readonly_paths.t"
|
||||
# "linux_rootfs_propagation/linux_rootfs_propagation.t"
|
||||
# "linux_seccomp/linux_seccomp.t"
|
||||
"linux_sysctl/linux_sysctl.t"
|
||||
|
|
|
@ -311,18 +311,16 @@ fn sysctl(kernel_params: &HashMap<String, String>) -> Result<()> {
|
|||
Ok(())
|
||||
}
|
||||
|
||||
// make a read only path
|
||||
// The first time we bind mount, other flags are ignored,
|
||||
// so we need to mount it once and then remount it with the necessary flags specified.
|
||||
// https://man7.org/linux/man-pages/man2/mount.2.html
|
||||
fn readonly_path(path: &str) -> Result<()> {
|
||||
match nix_mount::<str, str, str, str>(
|
||||
Some(path),
|
||||
path,
|
||||
None::<&str>,
|
||||
MsFlags::MS_BIND
|
||||
| MsFlags::MS_REC
|
||||
| MsFlags::MS_NOSUID
|
||||
| MsFlags::MS_NODEV
|
||||
| MsFlags::MS_NOEXEC
|
||||
| MsFlags::MS_BIND
|
||||
| MsFlags::MS_RDONLY,
|
||||
MsFlags::MS_BIND | MsFlags::MS_REC,
|
||||
None::<&str>,
|
||||
) {
|
||||
// ignore error if path is not exist.
|
||||
|
@ -333,6 +331,19 @@ fn readonly_path(path: &str) -> Result<()> {
|
|||
Err(err) => bail!(err),
|
||||
Ok(_) => {}
|
||||
}
|
||||
|
||||
nix_mount::<str, str, str, str>(
|
||||
Some(path),
|
||||
path,
|
||||
None::<&str>,
|
||||
MsFlags::MS_NOSUID
|
||||
| MsFlags::MS_NODEV
|
||||
| MsFlags::MS_NOEXEC
|
||||
| MsFlags::MS_BIND
|
||||
| MsFlags::MS_REMOUNT
|
||||
| MsFlags::MS_RDONLY,
|
||||
None::<&str>,
|
||||
)?;
|
||||
log::debug!("readonly path {:?} mounted", path);
|
||||
Ok(())
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue