Add --file-access-mounts flag

--file-access-mounts flag is similar to --file-access, but controls
non-root mounts that were previously mounted in shared mode only.
This gives more flexibility to control how mounts are shared within
a container.

PiperOrigin-RevId: 364669882

1 files changed, 2 insertions, 1 deletions

diff --git a/runsc/config/flags.go b/runsc/config/flags.go
index adbee506c..1d996c841 100644
--- a/runsc/config/flags.go
+++ b/runsc/config/flags.go
@@ -67,7 +67,8 @@ func RegisterFlags() {
 		flag.Bool("oci-seccomp", false, "Enables loading OCI seccomp filters inside the sandbox.")
 
 		// Flags that control sandbox runtime behavior: FS related.
-		flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem to use for the root mount: exclusive (default), shared. Volume mounts are always shared.")
+		flag.Var(fileAccessTypePtr(FileAccessExclusive), "file-access", "specifies which filesystem validation to use for the root mount: exclusive (default), shared.")
+		flag.Var(fileAccessTypePtr(FileAccessShared), "file-access-mounts", "specifies which filesystem validation to use for volumes other than the root mount: shared (default), exclusive.")
 		flag.Bool("overlay", false, "wrap filesystem mounts with writable overlay. All modifications are stored in memory inside the sandbox.")
 		flag.Bool("verity", false, "specifies whether a verity file system will be mounted.")
 		flag.Bool("overlayfs-stale-read", true, "assume root mount is an overlay filesystem")