gofer: set nosuid and nodev flags when the root is remounted

These flags can be locked and mount(MS_BIND|MS_REMOUNT) fails if they are not set. Fixes #8921 PiperOrigin-RevId: 570741035
google · Oct 4, 2023 · c6a1db5 · c6a1db5
1 parent ff6258b
commit c6a1db5
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/runsc/cmd/gofer.go b/runsc/cmd/gofer.go
@@ -421,8 +421,12 @@ func (g *Gofer) setupRootFS(spec *specs.Spec, conf *config.Config) error {
 	if spec.Root.Readonly || g.overlayMediums[0].IsEnabled() {
 		// If root is a mount point but not read-only, we can change mount options
 		// to make it read-only for extra safety.
+		// unix.MS_NOSUID and unix.MS_NODEV are included here not only
+		// for safety reasons but also because they can be locked and
+		// any attempts to unset them will fail.  See
+		// mount_namespaces(7) for more details.
 		log.Infof("Remounting root as readonly: %q", root)
-		flags := uintptr(unix.MS_BIND | unix.MS_REMOUNT | unix.MS_RDONLY | unix.MS_REC)
+		flags := uintptr(unix.MS_BIND | unix.MS_REMOUNT | unix.MS_RDONLY | unix.MS_REC | unix.MS_NOSUID | unix.MS_NODEV)
 		if err := specutils.SafeMount(root, root, "bind", flags, "", procPath); err != nil {
 			return fmt.Errorf("remounting root as read-only with source: %q, target: %q, flags: %#x, err: %v", root, root, flags, err)
 		}