Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cmd/initContainer: Handle security-hardened mount points when rootless
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump and /var/log/journal sit on security-hardened mount points that are marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used rootless, an attempt to bind mount these locations read-only at runtime with mount(8) fails because of permission problems: # mount --rbind -o ro <source> <containerPath> mount: <containerPath>: filesystem was mounted, but any subsequent operation failed: Unknown error 5005. The problem is that 'init-container' is running inside the container's mount and user namespace and the source paths were mounted inside the host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call tries to remove the 'nosuid,nodev,noexec' flags from the mount point and replace them with only 'ro', which is something that can't be done from a child namespace. There's actually no benefit in bind mounting these paths as read-only. It was historically done this way 'just to be safe' because a user isn't expected to write to these locations from inside a container. However, Toolbx doesn't intend to provide any heightened security beyond what's already available on the host. Hence, it's better to get out of the way and leave it to the permissions on the source location from the host operating system to guard the castle. This is accomplished by not passing any file system options to mount(8) [1]. Note that this isn't a problem when Toolbx is running as root, because the container uses the host's user namespace. Based on an idea from Si. [1] https://man7.org/linux/man-pages/man8/mount.8.html #911
- Loading branch information