diff options
Diffstat (limited to 'pkg/sentry')
-rw-r--r-- | pkg/sentry/fs/context.go | 5 | ||||
-rw-r--r-- | pkg/sentry/fs/filesystems.go | 4 | ||||
-rw-r--r-- | pkg/sentry/fs/proc/mounts.go | 3 | ||||
-rw-r--r-- | pkg/sentry/syscalls/linux/sys_mount.go | 5 |
4 files changed, 16 insertions, 1 deletions
diff --git a/pkg/sentry/fs/context.go b/pkg/sentry/fs/context.go index 1775d3486..c0e6075e4 100644 --- a/pkg/sentry/fs/context.go +++ b/pkg/sentry/fs/context.go @@ -46,6 +46,11 @@ func ContextCanAccessFile(ctx context.Context, inode *Inode, reqPerms PermMask) p = uattr.Perms.Group } + // Do not allow programs to be executed if MS_NOEXEC is set. + if IsFile(inode.StableAttr) && reqPerms.Execute && inode.MountSource.Flags.NoExec { + return false + } + // Are permissions satisfied without capability checks? if p.SupersetOf(reqPerms) { return true diff --git a/pkg/sentry/fs/filesystems.go b/pkg/sentry/fs/filesystems.go index aa664b973..a6b27c402 100644 --- a/pkg/sentry/fs/filesystems.go +++ b/pkg/sentry/fs/filesystems.go @@ -140,6 +140,10 @@ type MountSourceFlags struct { // cache, even when the platform supports direct mapped I/O. This // doesn't correspond to any Linux mount options. ForcePageCache bool + + // NoExec corresponds to mount(2)'s "MS_NOEXEC" and indicates that + // binaries from this file system can't be executed. + NoExec bool } // GenericMountSourceOptions splits a string containing comma separated tokens of the diff --git a/pkg/sentry/fs/proc/mounts.go b/pkg/sentry/fs/proc/mounts.go index 7111e5c0f..1e62af8c6 100644 --- a/pkg/sentry/fs/proc/mounts.go +++ b/pkg/sentry/fs/proc/mounts.go @@ -129,6 +129,9 @@ func (mif *mountInfoFile) ReadSeqFileData(ctx context.Context, handle seqfile.Se if m.Flags.NoAtime { opts += ",noatime" } + if m.Flags.NoExec { + opts += ",noexec" + } fmt.Fprintf(&buf, "%s ", opts) // (7) Optional fields: zero or more fields of the form "tag[:value]". diff --git a/pkg/sentry/syscalls/linux/sys_mount.go b/pkg/sentry/syscalls/linux/sys_mount.go index 6b8d75d24..e110a553f 100644 --- a/pkg/sentry/syscalls/linux/sys_mount.go +++ b/pkg/sentry/syscalls/linux/sys_mount.go @@ -75,7 +75,7 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall // Silently allow MS_NOSUID, since we don't implement set-id bits // anyway. - const unsupportedFlags = linux.MS_NODEV | linux.MS_NOEXEC | + const unsupportedFlags = linux.MS_NODEV | linux.MS_NODIRATIME | linux.MS_STRICTATIME // Linux just allows passing any flags to mount(2) - it won't fail when @@ -100,6 +100,9 @@ func Mount(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall if flags&linux.MS_RDONLY == linux.MS_RDONLY { superFlags.ReadOnly = true } + if flags&linux.MS_NOEXEC == linux.MS_NOEXEC { + superFlags.NoExec = true + } rootInode, err := rsys.Mount(t, sourcePath, superFlags, data, nil) if err != nil { |