Update ipcMount to add noexec option

Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2023-02-07 12:11:02 +01:00 · 2023-02-07 12:11:02 +01:00 · 076eed7eb4
commit 076eed7eb4
parent 33c7b056ea
3 changed files with 69 additions and 6 deletions
--- a/cmd/nvidia-ctk/cdi/generate/generate.go
+++ b/cmd/nvidia-ctk/cdi/generate/generate.go
@ -243,11 +243,6 @@ func (m command) generateSpec(driverRoot string, nvidiaCTKPath string, namer dev
 	if err != nil {
 		return nil, fmt.Errorf("failed to create container edits for IPC sockets: %v", err)
 	}
-	// TODO: We should not have to update this after the fact
-	for _, s := range ipcEdits.Mounts {
-		s.Options = append(s.Options, "noexec")
-	}
-
 	allEdits.Append(ipcEdits)

 	common, err := NewCommonDiscoverer(m.logger, driverRoot, nvidiaCTKPath, nvmllib)
--- a/internal/discover/icp_test.go
+++ b/internal/discover/icp_test.go
@ -0,0 +1,60 @@
+/**
+# Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+**/
+
+package discover
+
+import (
+	"testing"
+
+	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIPCMounts(t *testing.T) {
+	l := ipcMounts(
+		mounts{
+			logger: logrus.New(),
+			lookup: &lookup.LocatorMock{
+				LocateFunc: func(path string) ([]string, error) {
+					return []string{"/host/path"}, nil
+				},
+			},
+			required: []string{"target"},
+		},
+	)
+
+	mounts, err := l.Mounts()
+	require.NoError(t, err)
+
+	require.EqualValues(
+		t,
+		[]Mount{
+			{
+				HostPath: "/host/path",
+				Path:     "/host/path",
+				Options: []string{
+					"ro",
+					"nosuid",
+					"nodev",
+					"bind",
+					"noexec",
+				},
+			},
+		},
+		mounts,
+	)
+}
--- a/internal/discover/ipc.go
+++ b/internal/discover/ipc.go
@ -42,11 +42,19 @@ func NewIPCDiscoverer(logger *logrus.Logger, driverRoot string) (Discover, error
 	return (*ipcMounts)(d), nil
 }

+// Mounts returns the discovered mounts with "noexec" added to the mount options.
 func (d *ipcMounts) Mounts() ([]Mount, error) {
 	mounts, err := (*mounts)(d).Mounts()
 	if err != nil {
 		return nil, err
 	}

-	return mounts, nil
+	var modifiedMounts []Mount
+	for _, m := range mounts {
+		mount := m
+		mount.Options = append(m.Options, "noexec")
+		modifiedMounts = append(modifiedMounts, mount)
+	}
+
+	return modifiedMounts, nil
 }