gvisor: Add support for the MS_NOEXEC mount option

https://github.com/google/gvisor/issues/145 PiperOrigin-RevId: 242044115 Change-Id: I8f140fe05e32ecd438b6be218e224e4b7fe05878
author: Andrei Vagin <avagin@google.com> 2019-04-04 17:42:51 -0700
committer: Shentubot <shentubot@google.com> 2019-04-04 17:43:53 -0700
commit: 88409e983c463b6d9c8085e7fdbe7ff45b3c5184 (patch)
tree: f5ba3e9b1c67a7641a8d4d7c4106bd5bc5c2dcf1 /runsc/specutils
parent: 75a5ccf5d98876c26305da0feff20e4a148027ec (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/runsc/specutils/fs.go b/runsc/specutils/fs.go
index aa17d4eb9..98c3b19c0 100644
--- a/runsc/specutils/fs.go
+++ b/runsc/specutils/fs.go
@@ -39,6 +39,7 @@ var optionsMap = map[string]mapping{
 	"diratime":      {set: false, val: syscall.MS_NODIRATIME},
 	"dirsync":       {set: true, val: syscall.MS_DIRSYNC},
 	"exec":          {set: false, val: syscall.MS_NOEXEC},
+	"noexec":        {set: true, val: syscall.MS_NOEXEC},
 	"iversion":      {set: true, val: syscall.MS_I_VERSION},
 	"loud":          {set: false, val: syscall.MS_SILENT},
 	"mand":          {set: true, val: syscall.MS_MANDLOCK},
@@ -76,9 +77,7 @@ var propOptionsMap = map[string]mapping{
 // invalidOptions list options not allowed.
 //   - shared: sandbox must be isolated from the host. Propagating mount changes
 //     from the sandbox to the host breaks the isolation.
-//   - noexec: not yet supported. Don't ignore it since it could break
-//     in-sandbox security.
-var invalidOptions = []string{"shared", "rshared", "noexec"}
+var invalidOptions = []string{"shared", "rshared"}
 
 // OptionsToFlags converts mount options to syscall flags.
 func OptionsToFlags(opts []string) uint32 {
author	Andrei Vagin <avagin@google.com>	2019-04-04 17:42:51 -0700
committer	Shentubot <shentubot@google.com>	2019-04-04 17:43:53 -0700
commit	88409e983c463b6d9c8085e7fdbe7ff45b3c5184 (patch)
tree	f5ba3e9b1c67a7641a8d4d7c4106bd5bc5c2dcf1 /runsc/specutils
parent	75a5ccf5d98876c26305da0feff20e4a148027ec (diff)