Mount IPC sockets with noexec flag

This change ensures that the CDI spec mounts the ipc sockets with the
noexec flag to allow these to function in rootless mode with podman.

Signed-off-by: Evan Lezar <elezar@nvidia.com>

cmd/nvidia-ctk/info/generate-cdi/generate-cdi.go

@@ -208,7 +208,17 @@ func (m command) generateSpec() (*specs.Spec, error) {
 		return nil, fmt.Errorf("failed to locate driver IPC sockets: %v", err)
 	}
 
-	spec.ContainerEdits.Mounts = generateMountsForPaths(libraries, binaries, ipcs)
+	libOptions := []string{
+		"ro",
+		"nosuid",
+		"nodev",
+		"bind",
+	}
+	ipcOptions := append(libOptions, "noexec")
+	spec.ContainerEdits.Mounts = append(
+		generateMountsForPaths(libOptions, libraries, binaries),
+		generateMountsForPaths(ipcOptions, ipcs)...,
+	)
 
 	ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries)
 
@@ -346,7 +356,7 @@ func (m command) findIPC() ([]string, error) {
 	return ipcs, nil
 }
 
-func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
+func generateMountsForPaths(options []string, pathSets ...[]string) []*specs.Mount {
 	var mounts []*specs.Mount
 	for _, paths := range pathSets {
 		for _, p := range paths {
@@ -355,12 +365,7 @@ func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
 				// We may want to adjust the container path
 				ContainerPath: p,
 				Type:          "bind",
-				Options: []string{
+				Options:       options,
-					"ro",
-					"nosuid",
-					"nodev",
-					"bind",
-				},
 			}
 			mounts = append(mounts, &mount)
 		}