-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate the bind-propagation option to --mount
#24124
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mheon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM but test not happy. |
pkg/specgenutil/volumes.go
Outdated
case "shared", "rshared", "private", "rprivate", "slave", "rslave", "unbindable", "runbindable": | ||
// Do nothing, sane value | ||
default: | ||
return nil, fmt.Errorf("invalid value %q for bind-propagation mount option", value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not blocking but I would just log arg
and then remove the for bind-propagation
part.
test/e2e/run_volume_test.go
Outdated
@@ -122,6 +122,10 @@ var _ = Describe("Podman run with volumes", func() { | |||
session.WaitWithDefaultTimeout() | |||
Expect(session).To(ExitWithError(125, `"notmpcopyup" option not supported for "bind" mount types`)) | |||
|
|||
session = podmanTest.Podman([]string{"run", "--rm", "--mount", "type=bind,src=/tmp,target=/tmp,bind_propagation=fake", ALPINE, "true"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/bind_propagation/bind-propagation
Similar to github.com/containers/buildah/pull/5761 but not security critical as Podman does not have an expectation that mounts are scoped (the ability to write a --mount option is already the ability to mount arbitrary content into the container so sneaking arbitrary options into the mount doesn't have security implications). Still, bad practice to let users inject anything into the mount command line so let's not do that. Signed-off-by: Matt Heon <[email protected]>
d8f01c7
to
2a263d0
Compare
Similar to github.com/containers/buildah/pull/5761 but not security critical as Podman does not have an expectation that mounts are scoped (the ability to write a --mount option is already the ability to mount arbitrary content into the container so sneaking arbitrary options into the mount doesn't have security implications). Still, bad practice to let users inject anything into the mount command line so let's not do that.
Does this PR introduce a user-facing change?