c709612f2a
Fix #I4KI81 reason: modify kata-containers version and update it to 1.11.1 Signed-off-by: holyfei <yangfeiyu20092010@163.com>
79 lines
2.6 KiB
Diff
79 lines
2.6 KiB
Diff
From 228e6eb4b9c000fb105e3bf1401ac3938588fae2 Mon Sep 17 00:00:00 2001
|
|
From: Peng Tao <bergwolf@hyper.sh>
|
|
Date: Fri, 30 Oct 2020 14:54:49 +0800
|
|
Subject: [PATCH] runtime: readonly mounts should be readonly bindmount on the
|
|
host
|
|
|
|
So that we get protected at the VM boundary not just the guest kernel.
|
|
|
|
Signed-off-by: Peng Tao <bergwolf@hyper.sh>
|
|
Reference: https://github.com/kata-containers/runtime/commit/228e6eb4b9c000fb105e3bf1401ac3938588fae2
|
|
https://github.com/kata-containers/community/blob/master/VMT/KCSA/KCSA-CVE-2020-28914.md
|
|
(cherry picked from commit 509eb6f850c0ceb60eb91a6095cceb8e4c7150f5)
|
|
---
|
|
virtcontainers/container.go | 14 ++------------
|
|
virtcontainers/pkg/oci/utils.go | 8 ++++++++
|
|
2 files changed, 10 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/virtcontainers/container.go b/virtcontainers/container.go
|
|
index 88863ec42..6973c8328 100644
|
|
--- a/virtcontainers/container.go
|
|
+++ b/virtcontainers/container.go
|
|
@@ -481,7 +481,7 @@ func (c *Container) shareFiles(m Mount, idx int, hostSharedDir, guestSharedDir s
|
|
} else {
|
|
// These mounts are created in the shared dir
|
|
mountDest := filepath.Join(hostSharedDir, filename)
|
|
- if err := bindMount(c.ctx, m.Source, mountDest, false, "private"); err != nil {
|
|
+ if err := bindMount(c.ctx, m.Source, mountDest, m.ReadOnly, "private"); err != nil {
|
|
return "", false, err
|
|
}
|
|
// Save HostPath mount value into the mount list of the container.
|
|
@@ -557,22 +557,12 @@ func (c *Container) mountSharedDirMounts(hostSharedDir, guestSharedDir string) (
|
|
continue
|
|
}
|
|
|
|
- // Check if mount is readonly, let the agent handle the readonly mount
|
|
- // within the VM.
|
|
- readonly := false
|
|
- for _, flag := range m.Options {
|
|
- if flag == "ro" {
|
|
- readonly = true
|
|
- break
|
|
- }
|
|
- }
|
|
-
|
|
sharedDirMount := Mount{
|
|
Source: guestDest,
|
|
Destination: m.Destination,
|
|
Type: m.Type,
|
|
Options: m.Options,
|
|
- ReadOnly: readonly,
|
|
+ ReadOnly: m.ReadOnly,
|
|
}
|
|
|
|
sharedDirMounts[sharedDirMount.Destination] = sharedDirMount
|
|
diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
|
|
index 0832a757c..9701df3d5 100644
|
|
--- a/virtcontainers/pkg/oci/utils.go
|
|
+++ b/virtcontainers/pkg/oci/utils.go
|
|
@@ -162,11 +162,19 @@ func cmdEnvs(spec specs.Spec, envs []types.EnvVar) []types.EnvVar {
|
|
}
|
|
|
|
func newMount(m specs.Mount) vc.Mount {
|
|
+ readonly := false
|
|
+ for _, flag := range m.Options {
|
|
+ if flag == "ro" {
|
|
+ readonly = true
|
|
+ break
|
|
+ }
|
|
+ }
|
|
return vc.Mount{
|
|
Source: m.Source,
|
|
Destination: m.Destination,
|
|
Type: m.Type,
|
|
Options: m.Options,
|
|
+ ReadOnly: readonly,
|
|
}
|
|
}
|
|
|