summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry')
-rw-r--r--pkg/sentry/fs/context.go5
-rw-r--r--pkg/sentry/fs/filesystems.go4
-rw-r--r--pkg/sentry/fs/proc/mounts.go3
-rw-r--r--pkg/sentry/syscalls/linux/sys_mount.go5
4 files changed, 16 insertions, 1 deletions
diff --git a/pkg/sentry/fs/context.go b/pkg/sentry/fs/context.go
index 1775d3486..c0e6075e4 100644
--- a/pkg/sentry/fs/context.go
+++ b/pkg/sentry/fs/context.go
@@ -46,6 +46,11 @@ func ContextCanAccessFile(ctx context.Context, inode *Inode, reqPerms PermMask)
p = uattr.Perms.Group
}
+ // Do not allow programs to be executed if MS_NOEXEC is set.
+ if IsFile(inode.StableAttr) && reqPerms.Execute && inode.MountSource.Flags.NoExec {
+ return false
+ }
+
// Are permissions satisfied without capability checks?
if p.SupersetOf(reqPerms) {
return true
diff --git a/pkg/sentry/fs/filesystems.go b/pkg/sentry/fs/filesystems.go
index aa664b973..a6b27c402 100644
--- a/pkg/sentry/fs/filesystems.go
+++ b/pkg/sentry/fs/filesystems.go
@@ -140,6 +140,10 @@ type MountSourceFlags struct {
// cache, even when the platform supports direct mapped I/O. This
// doesn't correspond to any Linux mount options.
ForcePageCache bool
+
+ // NoExec corresponds to mount(2)'s "MS_NOEXEC" and indicates that
+ // binaries from this file system can't be executed.
+ NoExec bool
}
// GenericMountSourceOptions splits a string containing comma separated tokens of the
diff --git a/pkg/sentry/fs/proc/mounts.go b/pkg/sentry/fs/proc/mounts.go
index 7111e5c0f..1e62af8c6 100644
--- a/pkg/sentry/fs/proc/mounts.go
+++ b/pkg/sentry/fs/proc/mounts.go
@@ -129,6 +129,9 @@ func (mif *mountInfoFile) ReadSeqFileData(ctx context.Context, handle seqfile.Se
if m.Flags.NoAtime {
opts += ",noatime"
}
+ if m.Flags.NoExec {
+ opts += ",noexec"
+ }
fmt.Fprintf(&buf, "%s ", opts)
// (7) Optional fields: zero or more fields of the form "tag[:value]".
diff --git a/pkg/sentry/syscalls/linux/sys_mount.go b/pkg/sentry/syscalls/linux/sys_mount.go
index 6b8d75d24..e110a553f 100644
--- a/pkg/sentry/syscalls/linux/sys_mount.go
+++ b/pkg/sentry/syscalls/linux/sys_mount.go
@@ -75,7 +75,7 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
// Silently allow MS_NOSUID, since we don't implement set-id bits
// anyway.
- const unsupportedFlags = linux.MS_NODEV | linux.MS_NOEXEC |
+ const unsupportedFlags = linux.MS_NODEV |
linux.MS_NODIRATIME | linux.MS_STRICTATIME
// Linux just allows passing any flags to mount(2) - it won't fail when
@@ -100,6 +100,9 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
if flags&linux.MS_RDONLY == linux.MS_RDONLY {
superFlags.ReadOnly = true
}
+ if flags&linux.MS_NOEXEC == linux.MS_NOEXEC {
+ superFlags.NoExec = true
+ }
rootInode, err := rsys.Mount(t, sourcePath, superFlags, data, nil)
if err != nil {