mirror of
https://github.com/NVIDIA/nvidia-container-toolkit
synced 2024-11-25 21:39:10 +00:00
Mount IPC sockets with noexec flag
This change ensures that the CDI spec mounts the ipc sockets with the noexec flag to allow these to function in rootless mode with podman. Signed-off-by: Evan Lezar <elezar@nvidia.com>
This commit is contained in:
parent
5fb0ae2c2d
commit
f8748bfa9a
@ -208,7 +208,17 @@ func (m command) generateSpec() (*specs.Spec, error) {
|
||||
return nil, fmt.Errorf("failed to locate driver IPC sockets: %v", err)
|
||||
}
|
||||
|
||||
spec.ContainerEdits.Mounts = generateMountsForPaths(libraries, binaries, ipcs)
|
||||
libOptions := []string{
|
||||
"ro",
|
||||
"nosuid",
|
||||
"nodev",
|
||||
"bind",
|
||||
}
|
||||
ipcOptions := append(libOptions, "noexec")
|
||||
spec.ContainerEdits.Mounts = append(
|
||||
generateMountsForPaths(libOptions, libraries, binaries),
|
||||
generateMountsForPaths(ipcOptions, ipcs)...,
|
||||
)
|
||||
|
||||
ldcacheUpdateHook := m.generateUpdateLdCacheHook(libraries)
|
||||
|
||||
@ -346,7 +356,7 @@ func (m command) findIPC() ([]string, error) {
|
||||
return ipcs, nil
|
||||
}
|
||||
|
||||
func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
|
||||
func generateMountsForPaths(options []string, pathSets ...[]string) []*specs.Mount {
|
||||
var mounts []*specs.Mount
|
||||
for _, paths := range pathSets {
|
||||
for _, p := range paths {
|
||||
@ -355,12 +365,7 @@ func generateMountsForPaths(pathSets ...[]string) []*specs.Mount {
|
||||
// We may want to adjust the container path
|
||||
ContainerPath: p,
|
||||
Type: "bind",
|
||||
Options: []string{
|
||||
"ro",
|
||||
"nosuid",
|
||||
"nodev",
|
||||
"bind",
|
||||
},
|
||||
Options: options,
|
||||
}
|
||||
mounts = append(mounts, &mount)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user