UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2025-04-23 07:34:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update ipcMount to add noexec option

Browse Source 
Signed-off-by: Evan Lezar <elezar@nvidia.com>
This commit is contained in:
Evan Lezar 2023-02-07 12:11:02 +01:00
parent 33c7b056ea
commit 076eed7eb4
3 changed files with 69 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
cmd/nvidia-ctk/cdi/generate/generate.go
View File

@ -243,11 +243,6 @@ func (m command) generateSpec(driverRoot string, nvidiaCTKPath string, namer dev
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to create container edits for IPC sockets: %v", err) return nil, fmt.Errorf("failed to create container edits for IPC sockets: %v", err)
} }
// TODO: We should not have to update this after the fact
for _, s := range ipcEdits.Mounts {
s.Options = append(s.Options, "noexec")
}
allEdits.Append(ipcEdits) allEdits.Append(ipcEdits)
common, err := NewCommonDiscoverer(m.logger, driverRoot, nvidiaCTKPath, nvmllib) common, err := NewCommonDiscoverer(m.logger, driverRoot, nvidiaCTKPath, nvmllib)

60
internal/discover/icp_test.go Normal file
View File

@ -0,0 +1,60 @@
/**
# Copyright (c) NVIDIA CORPORATION. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
**/
package discover
import (
"testing"
"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/require"
)
func TestIPCMounts(t *testing.T) {
l := ipcMounts(
mounts{
logger: logrus.New(),
lookup: &lookup.LocatorMock{
LocateFunc: func(path string) ([]string, error) {
return []string{"/host/path"}, nil
},
},
required: []string{"target"},
},
)
mounts, err := l.Mounts()
require.NoError(t, err)
require.EqualValues(
t,
[]Mount{
{
HostPath: "/host/path",
Path: "/host/path",
Options: []string{
"ro",
"nosuid",
"nodev",
"bind",
"noexec",
},
},
},
mounts,
)
}

10
internal/discover/ipc.go
View File

@ -42,11 +42,19 @@ func NewIPCDiscoverer(logger *logrus.Logger, driverRoot string) (Discover, error
return (*ipcMounts)(d), nil return (*ipcMounts)(d), nil
} }
// Mounts returns the discovered mounts with "noexec" added to the mount options.
func (d *ipcMounts) Mounts() ([]Mount, error) { func (d *ipcMounts) Mounts() ([]Mount, error) {
mounts, err := (*mounts)(d).Mounts() mounts, err := (*mounts)(d).Mounts()
if err != nil { if err != nil {
return nil, err return nil, err
} }
return mounts, nil var modifiedMounts []Mount
for _, m := range mounts {
mount := m
mount.Options = append(m.Options, "noexec")
modifiedMounts = append(modifiedMounts, mount)
}
return modifiedMounts, nil
} }