diff options
author | Andrei Vagin <avagin@google.com> | 2019-04-04 17:42:51 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-04-04 17:43:53 -0700 |
commit | 88409e983c463b6d9c8085e7fdbe7ff45b3c5184 (patch) | |
tree | f5ba3e9b1c67a7641a8d4d7c4106bd5bc5c2dcf1 /pkg/sentry/syscalls | |
parent | 75a5ccf5d98876c26305da0feff20e4a148027ec (diff) |
gvisor: Add support for the MS_NOEXEC mount option
https://github.com/google/gvisor/issues/145
PiperOrigin-RevId: 242044115
Change-Id: I8f140fe05e32ecd438b6be218e224e4b7fe05878
Diffstat (limited to 'pkg/sentry/syscalls')
-rw-r--r-- | pkg/sentry/syscalls/linux/sys_mount.go | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_mount.go b/pkg/sentry/syscalls/linux/sys_mount.go index 6b8d75d24..e110a553f 100644 --- a/pkg/sentry/syscalls/linux/sys_mount.go +++ b/pkg/sentry/syscalls/linux/sys_mount.go @@ -75,7 +75,7 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall // Silently allow MS_NOSUID, since we don't implement set-id bits // anyway. - const unsupportedFlags = linux.MS_NODEV | linux.MS_NOEXEC | + const unsupportedFlags = linux.MS_NODEV | linux.MS_NODIRATIME | linux.MS_STRICTATIME // Linux just allows passing any flags to mount(2) - it won't fail when @@ -100,6 +100,9 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall if flags&linux.MS_RDONLY == linux.MS_RDONLY { superFlags.ReadOnly = true } + if flags&linux.MS_NOEXEC == linux.MS_NOEXEC { + superFlags.NoExec = true + } rootInode, err := rsys.Mount(t, sourcePath, superFlags, data, nil) if err != nil { |