github.com/opencontainers/umoci@v0.4.8-0.20240508124516-656e4836fb0d/oci/config/convert/utils_linux.go (about) 1 /* 2 * umoci: Umoci Modifies Open Containers' Images 3 * Copyright (C) 2016-2019 SUSE LLC. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 */ 17 18 package convert 19 20 import ( 21 "golang.org/x/sys/unix" 22 ) 23 24 // Get the set of mount flags that are set on the mount that contains the given 25 // path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that 26 // bind-mounting "with options" will not fail with user namespaces, due to 27 // kernel restrictions that require user namespace mounts to preserve 28 // CL_UNPRIVILEGED locked flags. 29 // 30 // Ported from https://github.com/moby/moby/pull/35205 31 func getUnprivilegedMountFlags(path string) ([]string, error) { 32 var statfs unix.Statfs_t 33 if err := unix.Statfs(path, &statfs); err != nil { 34 return nil, err 35 } 36 37 // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048. 38 unprivilegedFlags := map[uint64]string{ 39 unix.MS_RDONLY: "ro", 40 unix.MS_NODEV: "nodev", 41 unix.MS_NOEXEC: "noexec", 42 unix.MS_NOSUID: "nosuid", 43 unix.MS_NOATIME: "noatime", 44 unix.MS_RELATIME: "relatime", 45 unix.MS_NODIRATIME: "nodiratime", 46 } 47 48 var flags []string 49 for mask, flag := range unprivilegedFlags { 50 if uint64(statfs.Flags)&mask == mask { 51 flags = append(flags, flag) 52 } 53 } 54 55 return flags, nil 56 }