Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tmpfs mounts do not accept exec option #3819

Closed
psafont opened this issue Aug 15, 2019 · 4 comments · Fixed by #3876
Closed

tmpfs mounts do not accept exec option #3819

psafont opened this issue Aug 15, 2019 · 4 comments · Fixed by #3876
Assignees
@mheon
Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@psafont
Copy link

psafont commented Aug 15, 2019

The manual is quite clear on which flags are supported:

--tmpfs
This command mounts a tmpfs at /tmp within the container.  The supported mount options are the same as the Linux default mount flags. If you do not specify any options, the systems uses the following options:

However the exec options is rejected as invalid in the current master: https://github.com/containers/libpod/blob/4d470c73ca9f441ced162431270977b967b547a1/pkg/util/mountOpts.go#L50

$ podman run --rm --tmpfs /tmp:exec -it docker.io/library/alpine /bin/sh
Error: unknown tmpfs option "exec": invalid mount option

Additional info:
This came up while using the docker wrapper for podman, docker supports this mount option for tmpfs.

A revision on the code or the documentation about this would be good to have.
@mheon
Copy link
Member

mheon commented Aug 15, 2019

Related: #3803 - we need the option to resolve that as well

@mheon
Copy link
Member

mheon commented Aug 15, 2019

We need to do this for all mounts - not just tmpfs

@mheon mheon self-assigned this Aug 15, 2019
@mheon mheon mentioned this issue Aug 15, 2019
Closed
@mheon
Copy link
Member

mheon commented Aug 15, 2019

We need to update and revendor Buildah to land fixes to the shared option parse code first. Then we can add this to Podman.

mheon added a commit to mheon/libpod that referenced this issue Aug 22, 2019
@mheon
Add support for 'exec', 'suid', 'dev' mount flags
8f0162f 
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.

This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.

Fixes: containers#3819
Fixes: containers#3803

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@mheon mheon mentioned this issue Aug 22, 2019
Merged
mheon added a commit to mheon/libpod that referenced this issue Aug 28, 2019
@mheon
Add support for 'exec', 'suid', 'dev' mount flags
02264d5 
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.

This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.

Fixes: containers#3819
Fixes: containers#3803

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@bruceg
Copy link

bruceg commented Sep 4, 2019

FWIW I am also having this issue after switching from docker to podman for a build infrastructure tool that ends up running ldd on built programs on tmpfs. Without the exec flag, this breaks.

weirdwiz pushed a commit to weirdwiz/libpod that referenced this issue Sep 5, 2019
@mheon @weirdwiz
Add support for 'exec', 'suid', 'dev' mount flags
55343e3 
Previously, we explicitly set noexec/nosuid/nodev on every mount,
with no ability to disable them. The 'mount' command on Linux
will accept their inverses without complaint, though - 'noexec'
is counteracted by 'exec', 'nosuid' by 'suid', etc. Add support
for passing these options at the command line to disable our
explicit forcing of security options.

This also cleans up mount option handling significantly. We are
still parsing options in more than one place, which isn't good,
but option parsing for bind and tmpfs mounts has been unified.

Fixes: containers#3819
Fixes: containers#3803

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mheon mheon

Labels
locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow suid, exec, dev mount options to cancel nosuid/noexec/nodev mheon/libpod
3 participants
@bruceg @psafont @mheon