diff options
author | Andrei Vagin <avagin@google.com> | 2019-04-04 17:42:51 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-04-04 17:43:53 -0700 |
commit | 88409e983c463b6d9c8085e7fdbe7ff45b3c5184 (patch) | |
tree | f5ba3e9b1c67a7641a8d4d7c4106bd5bc5c2dcf1 /runsc | |
parent | 75a5ccf5d98876c26305da0feff20e4a148027ec (diff) |
gvisor: Add support for the MS_NOEXEC mount option
https://github.com/google/gvisor/issues/145
PiperOrigin-RevId: 242044115
Change-Id: I8f140fe05e32ecd438b6be218e224e4b7fe05878
Diffstat (limited to 'runsc')
-rw-r--r-- | runsc/boot/fs.go | 2 | ||||
-rw-r--r-- | runsc/specutils/fs.go | 5 |
2 files changed, 4 insertions, 3 deletions
diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index 25e23c09b..8dfb6dce6 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -482,6 +482,8 @@ func mountFlags(opts []string) fs.MountSourceFlags { mf.ReadOnly = true case "noatime": mf.NoAtime = true + case "noexec": + mf.NoExec = true default: log.Warningf("ignoring unknown mount option %q", o) } diff --git a/runsc/specutils/fs.go b/runsc/specutils/fs.go index aa17d4eb9..98c3b19c0 100644 --- a/runsc/specutils/fs.go +++ b/runsc/specutils/fs.go @@ -39,6 +39,7 @@ var optionsMap = map[string]mapping{ "diratime": {set: false, val: syscall.MS_NODIRATIME}, "dirsync": {set: true, val: syscall.MS_DIRSYNC}, "exec": {set: false, val: syscall.MS_NOEXEC}, + "noexec": {set: true, val: syscall.MS_NOEXEC}, "iversion": {set: true, val: syscall.MS_I_VERSION}, "loud": {set: false, val: syscall.MS_SILENT}, "mand": {set: true, val: syscall.MS_MANDLOCK}, @@ -76,9 +77,7 @@ var propOptionsMap = map[string]mapping{ // invalidOptions list options not allowed. // - shared: sandbox must be isolated from the host. Propagating mount changes // from the sandbox to the host breaks the isolation. -// - noexec: not yet supported. Don't ignore it since it could break -// in-sandbox security. -var invalidOptions = []string{"shared", "rshared", "noexec"} +var invalidOptions = []string{"shared", "rshared"} // OptionsToFlags converts mount options to syscall flags. func OptionsToFlags(opts []string) uint32 { |