--read-only-tmpfs=false should set /dev/* tmpfs to readonly

Fixes: #12937 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
containers · Jan 21, 2022 · acbfbe8 · acbfbe8
1 parent e3ea996
commit acbfbe8
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 4 deletions.
diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md
@@ -851,7 +851,8 @@ its root filesystem mounted as read only prohibiting any writes.
 
 #### **--read-only-tmpfs**
 
-If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is *true*
+If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp.
+When false, Podman mounts /dev, /dev/mqueue, /dev/pts, /dev/shm as read only. The default is *true*
 
 #### **--replace**
 

diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md
@@ -891,7 +891,8 @@ its root filesystem mounted as read only prohibiting any writes.
 
 #### **--read-only-tmpfs**
 
-If container is running in **--read-only** mode, then mount a read-write tmpfs on _/run_, _/tmp_, and _/var/tmp_. The default is **true**.
+If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp.
+When false, Podman mounts /dev, /dev/mqueue, /dev/pts, /dev/shm as read only. The default is *true*
 
 #### **--replace**
 

diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go
@@ -182,8 +182,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	if err != nil {
 		return nil, err
 	}
-	// Remove the default /dev/shm mount to ensure we overwrite it
-	g.RemoveMount("/dev/shm")
 	g.HostSpecific = true
 	addCgroup := true
 
@@ -430,5 +428,18 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt
 	}
 	setProcOpts(s, &g)
 
+	if s.ReadOnlyTmpFS {
+		for n, m := range configSpec.Mounts {
+			switch m.Destination {
+			case "/dev", "/dev/shm", "/dev/mqueue", "/dev/pts":
+				m.Options = append(m.Options, "ro")
+				configSpec.Mounts[n] = m
+			}
+		}
+	} else {
+		// Remove the default /dev/shm mount to ensure we overwrite it
+		g.RemoveMount("/dev/shm")
+	}
+
 	return configSpec, nil
 }
diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go
@@ -367,6 +367,9 @@ type ContainerSecurityConfig struct {
 	// ReadOnlyFilesystem indicates that everything will be mounted
 	// as read-only
 	ReadOnlyFilesystem bool `json:"read_only_filesystem,omitempty"`
+	// ReadOnlyTmpfs indicates that tmpfs will be mounted
+	// as read-only
+	ReadOnlyTmpFS bool `json:"read_only_tmpfs,omitempty"`
 	// Umask is the umask the init process of the container will be run with.
 	Umask string `json:"umask,omitempty"`
 	// ProcOpts are the options used for the proc mount.

diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go
@@ -520,6 +520,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 	s.CapDrop = c.CapDrop
 	s.Privileged = c.Privileged
 	s.ReadOnlyFilesystem = c.ReadOnly
+	s.ReadOnlyTmpFS = !c.ReadOnlyTmpFS
 	s.ConmonPidFile = c.ConmonPIDFile
 
 	s.DependencyContainers = c.Requires