Mount IPC sockets with noexec flag

This change ensures that the CDI spec mounts the ipc sockets with the noexec flag to allow these to function in rootless mode with podman. Signed-off-by: Evan Lezar <elezar@nvidia.com>
2025-06-26 18:18:24 +00:00 · 2022-10-21 15:28:45 +02:00
parent 5fb0ae2c2d
commit f8748bfa9a
1 changed files with 13 additions and 8 deletions
--- a/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go
+++ b/cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go
@@ -208,7 +208,17 @@ func (m command) generateSpec() (*specs.Spec, error) {
 		return nil, fmt.Errorf("failed to locate driver IPC sockets: %v", err)
 	}

-	spec.ContainerEdits.Mounts = generateMountsForPaths(libraries, binaries, ipcs)
+	libOptions := []string{
+		"ro",
+		"nosuid",
+		"nodev",
+		"bind",
+	}
+	ipcOptions := append(libOptions, "noexec")
+	spec.ContainerEdits.Mounts = append(
+		generateMountsForPaths(libOptions, libraries, binaries),
+		generateMountsForPaths(ipcOptions, ipcs)...,
+	)

 	ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries)

@@ -346,7 +356,7 @@ func (m command) findIPC() ([]string, error) {
 	return ipcs, nil
 }

-func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
+func generateMountsForPaths(options []string, pathSets ...[]string) []*specs.Mount {
 	var mounts []*specs.Mount
 	for _, paths := range pathSets {
 		for _, p := range paths {
@@ -355,12 +365,7 @@ func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
 				// We may want to adjust the container path
 				ContainerPath: p,
 				Type:          "bind",
-				Options: []string{
-					"ro",
-					"nosuid",
-					"nodev",
-					"bind",
-				},
+				Options:       options,
 			}
 			mounts = append(mounts, &mount)
 		}