From 8f8f16efafd48da3c5e4db329a90bb76620b2324 Mon Sep 17 00:00:00 2001
From: Fabricio Voznika <fvoznika@google.com>
Date: Fri, 13 Mar 2020 08:56:47 -0700
Subject: Add support for mount flags

Plumbs MS_NOEXEC and MS_RDONLY. Others are TODO.

Updates #1623 #1193

PiperOrigin-RevId: 300764669
---
 pkg/sentry/vfs/vfs.go | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'pkg/sentry/vfs/vfs.go')

diff --git a/pkg/sentry/vfs/vfs.go b/pkg/sentry/vfs/vfs.go
index bde81e1ef..365e8b30d 100644
--- a/pkg/sentry/vfs/vfs.go
+++ b/pkg/sentry/vfs/vfs.go
@@ -388,6 +388,11 @@ func (vfs *VirtualFilesystem) OpenAt(ctx context.Context, creds *auth.Credential
 			// TODO(gvisor.dev/issue/1193): Move inside fsimpl to avoid another call
 			// to FileDescription.Stat().
 			if opts.FileExec {
+				if fd.Mount().flags.NoExec {
+					fd.DecRef()
+					return nil, syserror.EACCES
+				}
+
 				// Only a regular file can be executed.
 				stat, err := fd.Stat(ctx, StatOptions{Mask: linux.STATX_TYPE})
 				if err != nil {
-- 
cgit v1.2.3