UniqAI/nvidia-container-toolkit
1
0
Fork 0
mirror of https://github.com/NVIDIA/nvidia-container-toolkit synced 2024-11-22 08:18:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'ipc-rw' into 'main'

Browse Source 
Mount IPC sockets with noexec flag

See merge request nvidia/container-toolkit/container-toolkit!234
This commit is contained in:
Evan Lezar 2022-11-02 12:15:47 +00:00
commit 59bf7607ce
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go
View File

@ -209,7 +209,17 @@ func (m command) generateSpec() (*specs.Spec, error) {
return nil, fmt.Errorf("failed to locate driver IPC sockets: %v", err)
}
spec.ContainerEdits.Mounts = generateMountsForPaths(libraries, binaries, ipcs)
libOptions := []string{
"ro",
"nosuid",
"nodev",
"bind",
}
ipcOptions := append(libOptions, "noexec")
spec.ContainerEdits.Mounts = append(
generateMountsForPaths(libOptions, libraries, binaries),
generateMountsForPaths(ipcOptions, ipcs)...,
)
ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries)
@ -352,7 +362,7 @@ func (m command) findIPC() ([]string, error) {
return ipcs, nil
}
func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
func generateMountsForPaths(options []string, pathSets ...[]string) []*specs.Mount {
var mounts []*specs.Mount
for _, paths := range pathSets {
for _, p := range paths {
@ -361,12 +371,7 @@ func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
// We may want to adjust the container path
ContainerPath: p,
Type: "bind",
Options: []string{
"ro",
"nosuid",
"nodev",
"bind",
},
Options: options,
}
mounts = append(mounts, &mount)
}