From acbfbe809e8753e0da43e43fa73406be25bd22cb Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 20 Jan 2022 17:07:22 -0500 Subject: [PATCH] --read-only-tmpfs=false should set /dev/* tmpfs to readonly Fixes: https://github.com/containers/podman/issues/12937 Signed-off-by: Daniel J Walsh --- docs/source/markdown/podman-create.1.md | 3 ++- docs/source/markdown/podman-run.1.md | 3 ++- pkg/specgen/generate/oci.go | 15 +++++++++++++-- pkg/specgen/specgen.go | 3 +++ pkg/specgenutil/specgen.go | 1 + 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/source/markdown/podman-create.1.md b/docs/source/markdown/podman-create.1.md index 62028de40f98..db21310a9e43 100644 --- a/docs/source/markdown/podman-create.1.md +++ b/docs/source/markdown/podman-create.1.md @@ -851,7 +851,8 @@ its root filesystem mounted as read only prohibiting any writes. #### **--read-only-tmpfs** -If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. The default is *true* +If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. +When false, Podman mounts /dev, /dev/mqueue, /dev/pts, /dev/shm as read only. The default is *true* #### **--replace** diff --git a/docs/source/markdown/podman-run.1.md b/docs/source/markdown/podman-run.1.md index efd60b46d9ef..61ab667e2267 100644 --- a/docs/source/markdown/podman-run.1.md +++ b/docs/source/markdown/podman-run.1.md @@ -891,7 +891,8 @@ its root filesystem mounted as read only prohibiting any writes. #### **--read-only-tmpfs** -If container is running in **--read-only** mode, then mount a read-write tmpfs on _/run_, _/tmp_, and _/var/tmp_. The default is **true**. +If container is running in --read-only mode, then mount a read-write tmpfs on /run, /tmp, and /var/tmp. +When false, Podman mounts /dev, /dev/mqueue, /dev/pts, /dev/shm as read only. The default is *true* #### **--replace** diff --git a/pkg/specgen/generate/oci.go b/pkg/specgen/generate/oci.go index 945c994ea8a8..29b67e877d39 100644 --- a/pkg/specgen/generate/oci.go +++ b/pkg/specgen/generate/oci.go @@ -182,8 +182,6 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt if err != nil { return nil, err } - // Remove the default /dev/shm mount to ensure we overwrite it - g.RemoveMount("/dev/shm") g.HostSpecific = true addCgroup := true @@ -430,5 +428,18 @@ func SpecGenToOCI(ctx context.Context, s *specgen.SpecGenerator, rt *libpod.Runt } setProcOpts(s, &g) + if s.ReadOnlyTmpFS { + for n, m := range configSpec.Mounts { + switch m.Destination { + case "/dev", "/dev/shm", "/dev/mqueue", "/dev/pts": + m.Options = append(m.Options, "ro") + configSpec.Mounts[n] = m + } + } + } else { + // Remove the default /dev/shm mount to ensure we overwrite it + g.RemoveMount("/dev/shm") + } + return configSpec, nil } diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index 750fc875dc05..ea0f6d150685 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -367,6 +367,9 @@ type ContainerSecurityConfig struct { // ReadOnlyFilesystem indicates that everything will be mounted // as read-only ReadOnlyFilesystem bool `json:"read_only_filesystem,omitempty"` + // ReadOnlyTmpfs indicates that tmpfs will be mounted + // as read-only + ReadOnlyTmpFS bool `json:"read_only_tmpfs,omitempty"` // Umask is the umask the init process of the container will be run with. Umask string `json:"umask,omitempty"` // ProcOpts are the options used for the proc mount. diff --git a/pkg/specgenutil/specgen.go b/pkg/specgenutil/specgen.go index b6a18a2741c3..627d3e03e775 100644 --- a/pkg/specgenutil/specgen.go +++ b/pkg/specgenutil/specgen.go @@ -520,6 +520,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions s.CapDrop = c.CapDrop s.Privileged = c.Privileged s.ReadOnlyFilesystem = c.ReadOnly + s.ReadOnlyTmpFS = !c.ReadOnlyTmpFS s.ConmonPidFile = c.ConmonPIDFile s.DependencyContainers = c.Requires