From f8748bfa9a642f2176708c0834577a1812497233 Mon Sep 17 00:00:00 2001 From: Evan Lezar Date: Fri, 21 Oct 2022 15:28:45 +0200 Subject: [PATCH] Mount IPC sockets with noexec flag This change ensures that the CDI spec mounts the ipc sockets with the noexec flag to allow these to function in rootless mode with podman. Signed-off-by: Evan Lezar --- .../info/generate-cdi/generate-cdi.go | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go b/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go index 7ef290b4..60115840 100644 --- a/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go +++ b/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go @@ -208,7 +208,17 @@ func (m command) generateSpec() (*specs.Spec, error) { return nil, fmt.Errorf("failed to locate driver IPC sockets: %v", err) } - spec.ContainerEdits.Mounts = generateMountsForPaths(libraries, binaries, ipcs) + libOptions := []string{ + "ro", + "nosuid", + "nodev", + "bind", + } + ipcOptions := append(libOptions, "noexec") + spec.ContainerEdits.Mounts = append( + generateMountsForPaths(libOptions, libraries, binaries), + generateMountsForPaths(ipcOptions, ipcs)..., + ) ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries) @@ -346,7 +356,7 @@ func (m command) findIPC() ([]string, error) { return ipcs, nil } -func generateMountsForPaths(pathSets ...[]string) []*specs.Mount { +func generateMountsForPaths(options []string, pathSets ...[]string) []*specs.Mount { var mounts []*specs.Mount for _, paths := range pathSets { for _, p := range paths { @@ -355,12 +365,7 @@ func generateMountsForPaths(pathSets ...[]string) []*specs.Mount { // We may want to adjust the container path ContainerPath: p, Type: "bind", - Options: []string{ - "ro", - "nosuid", - "nodev", - "bind", - }, + Options: options, } mounts = append(mounts, &mount) }