Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #47588 from vvoland/v25.0-47558
[25.0 backport] plugin: fix mounting /etc/hosts when running in UserNS
- Loading branch information
Showing
3 changed files
with
77 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
package mountopts | ||
|
||
import ( | ||
"golang.org/x/sys/unix" | ||
) | ||
|
||
// UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given | ||
// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that | ||
// bind-mounting "with options" will not fail with user namespaces, due to | ||
// kernel restrictions that require user namespace mounts to preserve | ||
// CL_UNPRIVILEGED locked flags. | ||
// | ||
// TODO: Move to github.com/moby/sys/mount, and update BuildKit copy of this code as well (https://github.com/moby/buildkit/blob/v0.13.0/util/rootless/mountopts/mountopts_linux.go#L11-L18) | ||
func UnprivilegedMountFlags(path string) ([]string, error) { | ||
var statfs unix.Statfs_t | ||
if err := unix.Statfs(path, &statfs); err != nil { | ||
return nil, err | ||
} | ||
|
||
// The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048. | ||
unprivilegedFlags := map[uint64]string{ | ||
unix.MS_RDONLY: "ro", | ||
unix.MS_NODEV: "nodev", | ||
unix.MS_NOEXEC: "noexec", | ||
unix.MS_NOSUID: "nosuid", | ||
unix.MS_NOATIME: "noatime", | ||
unix.MS_RELATIME: "relatime", | ||
unix.MS_NODIRATIME: "nodiratime", | ||
} | ||
|
||
var flags []string | ||
for mask, flag := range unprivilegedFlags { | ||
if uint64(statfs.Flags)&mask == mask { | ||
flags = append(flags, flag) | ||
} | ||
} | ||
|
||
return flags, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters