From 076eed7eb4e29b14c9ca47226f09e575d2d5ab62 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Tue, 7 Feb 2023 12:11:02 +0100 Subject: [PATCH] Update ipcMount to add noexec option Signed-off-by: Evan Lezar --- cmd/nvidia-ctk/cdi/generate/generate.go | 5 --- internal/discover/icp_test.go | 60 +++++++++++++++++++++++++ internal/discover/ipc.go | 10 ++++- 3 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 internal/discover/icp_test.go diff --git a/cmd/nvidia-ctk/cdi/generate/generate.go b/cmd/nvidia-ctk/cdi/generate/generate.go index 015ec04d..213286fa 100644 --- a/cmd/nvidia-ctk/cdi/generate/generate.go +++ b/cmd/nvidia-ctk/cdi/generate/generate.go @@ -243,11 +243,6 @@ func (m command) generateSpec(driverRoot string, nvidiaCTKPath string, namer dev if err != nil { return nil, fmt.Errorf("failed to create container edits for IPC sockets: %v", err) } - // TODO: We should not have to update this after the fact - for _, s := range ipcEdits.Mounts { - s.Options = append(s.Options, "noexec") - } - allEdits.Append(ipcEdits) common, err := NewCommonDiscoverer(m.logger, driverRoot, nvidiaCTKPath, nvmllib) diff --git a/internal/discover/icp_test.go b/internal/discover/icp_test.go new file mode 100644 index 00000000..d2318b44 --- /dev/null +++ b/internal/discover/icp_test.go @@ -0,0 +1,60 @@ +/** +# Copyright (c) NVIDIA CORPORATION. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +**/ + +package discover + +import ( + "testing" + + "github.com/NVIDIA/nvidia-container-toolkit/internal/lookup" + "github.com/sirupsen/logrus" + "github.com/stretchr/testify/require" +) + +func TestIPCMounts(t *testing.T) { + l := ipcMounts( + mounts{ + logger: logrus.New(), + lookup: &lookup.LocatorMock{ + LocateFunc: func(path string) ([]string, error) { + return []string{"/host/path"}, nil + }, + }, + required: []string{"target"}, + }, + ) + + mounts, err := l.Mounts() + require.NoError(t, err) + + require.EqualValues( + t, + []Mount{ + { + HostPath: "/host/path", + Path: "/host/path", + Options: []string{ + "ro", + "nosuid", + "nodev", + "bind", + "noexec", + }, + }, + }, + mounts, + ) +} diff --git a/internal/discover/ipc.go b/internal/discover/ipc.go index 80c5fb7e..622c6aab 100644 --- a/internal/discover/ipc.go +++ b/internal/discover/ipc.go @@ -42,11 +42,19 @@ func NewIPCDiscoverer(logger *logrus.Logger, driverRoot string) (Discover, error return (*ipcMounts)(d), nil } +// Mounts returns the discovered mounts with "noexec" added to the mount options. func (d *ipcMounts) Mounts() ([]Mount, error) { mounts, err := (*mounts)(d).Mounts() if err != nil { return nil, err } - return mounts, nil + var modifiedMounts []Mount + for _, m := range mounts { + mount := m + mount.Options = append(m.Options, "noexec") + modifiedMounts = append(modifiedMounts, mount) + } + + return modifiedMounts, nil }