Skip to content

Commit

Permalink
cmd/initContainer: Handle security hardened mount points when rootless
Browse files Browse the repository at this point in the history
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
and /var/log/journal sit on security hardened mount points that are
marked as 'nosuid,nodev,noexec' [1].  In such cases, when Toolbx is used
rootless, an attempt to bind mount these locations read-only at runtime
with mount(8) fails because of permission problems:
  # mount --rbind -o ro <source> <containerPath>
  mount: <containerPath>: filesystem was mounted, but any subsequent
      operation failed: Unknown error 5005.

The problem is that 'init-container' is running inside the container's
mount and user namespace and the source paths were mounted inside the
host's namespace with 'nosuid,nodev,noexec'.  The above mount(8) call
tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
replace them with only 'ro', which is something that can't be done from
a child namespace.

There's actually no benefit in bind mounting these paths as read-only.
It was historically done this way 'just to be safe' because a user isn't
expected to write to these locations from inside a container.  However,
Toolbx doesn't intend to provide any heightened security beyond what's
already available on the host.

Hence, it's better to get out of the way and leave it to the permissions
on the source location from the host operating system to guard the
castle.  This is accomplished by not passing any file system options to
mount(8) [1].

Note that this isn't a problem when Toolbx is running as root, because
the container uses the host's user namespace.

Based on an idea from Si.

[1] https://man7.org/linux/man-pages/man8/mount.8.html

containers#911
  • Loading branch information
debarshiray committed Jul 13, 2023
1 parent c846b6d commit 65afe2f
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions src/cmd/initContainer.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,10 @@ var (
{"/run/udev/data", "/run/host/run/udev/data", ""},
{"/run/udev/tags", "/run/host/run/udev/tags", ""},
{"/tmp", "/run/host/tmp", "rslave"},
{"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"},
{"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""},
{"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""},
{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"},
{"/var/log/journal", "/run/host/var/log/journal", "ro"},
{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""},
{"/var/log/journal", "/run/host/var/log/journal", ""},
{"/var/mnt", "/run/host/var/mnt", "rslave"},
}
)
Expand Down

0 comments on commit 65afe2f

Please sign in to comment.