container/mount: pass tmpfs flags
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 2m1s
Test / Sandbox (race detector) (push) Successful in 3m57s
Test / Hpkg (push) Successful in 3m55s
Test / Hakurei (race detector) (push) Successful in 4m30s
Test / Hakurei (push) Successful in 2m18s
Test / Flake checks (push) Successful in 1m14s
All checks were successful
Test / Create distribution (push) Successful in 32s
Test / Sandbox (push) Successful in 2m1s
Test / Sandbox (race detector) (push) Successful in 3m57s
Test / Hpkg (push) Successful in 3m55s
Test / Hakurei (race detector) (push) Successful in 4m30s
Test / Hakurei (push) Successful in 2m18s
Test / Flake checks (push) Successful in 1m14s
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
@@ -28,7 +28,9 @@ const (
|
||||
ignore = "\x00"
|
||||
ignoreV = -1
|
||||
|
||||
pathWantMnt = "/etc/hakurei/want-mnt"
|
||||
pathPrefix = "/etc/hakurei/"
|
||||
pathWantMnt = pathPrefix + "want-mnt"
|
||||
pathReadonly = pathPrefix + "readonly"
|
||||
)
|
||||
|
||||
var containerTestCases = []struct {
|
||||
@@ -62,7 +64,7 @@ var containerTestCases = []struct {
|
||||
new(container.Ops).
|
||||
Tmpfs(hst.Tmp, 0, 0755),
|
||||
[]*vfs.MountInfoEntry{
|
||||
ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
|
||||
ent("/", hst.Tmp, "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
|
||||
},
|
||||
9, 9, nil, 0, seccomp.PresetStrict},
|
||||
{"dev", true, true /* go test output is not a tty */, false,
|
||||
@@ -140,6 +142,7 @@ func TestContainer(t *testing.T) {
|
||||
c.HostNet = tc.net
|
||||
|
||||
c.
|
||||
Readonly(pathReadonly, 0755).
|
||||
Tmpfs("/tmp", 0, 0755).
|
||||
Place("/etc/hostname", []byte(c.Hostname))
|
||||
// needs /proc to check mountinfo
|
||||
@@ -158,8 +161,10 @@ func TestContainer(t *testing.T) {
|
||||
}
|
||||
mnt = append(mnt, tc.mnt...)
|
||||
mnt = append(mnt,
|
||||
// Readonly(pathReadonly, 0755)
|
||||
ent("/", pathReadonly, "ro,nosuid,nodev", "tmpfs", "readonly", ignore),
|
||||
// Tmpfs("/tmp", 0, 0755)
|
||||
ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "tmpfs", ignore),
|
||||
ent("/", "/tmp", "rw,nosuid,nodev,relatime", "tmpfs", "ephemeral", ignore),
|
||||
// Place("/etc/hostname", []byte(hostname))
|
||||
ent(ignore, "/etc/hostname", "ro,nosuid,nodev,relatime", "tmpfs", "rootfs", ignore),
|
||||
// Proc("/proc")
|
||||
@@ -309,6 +314,10 @@ func init() {
|
||||
return fmt.Errorf("/etc/hostname: %q, want %q", string(p), wantHost)
|
||||
}
|
||||
|
||||
if _, err := os.Create(pathReadonly + "/nonexistent"); !errors.Is(err, syscall.EROFS) {
|
||||
return err
|
||||
}
|
||||
|
||||
{
|
||||
var fail bool
|
||||
|
||||
|
||||
@@ -97,7 +97,7 @@ func remountWithFlags(n *vfs.MountInfoNode, mf uintptr) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
|
||||
func mountTmpfs(fsname, name string, flags uintptr, size int, perm os.FileMode) error {
|
||||
target := toSysroot(name)
|
||||
if err := os.MkdirAll(target, parentPerm(perm)); err != nil {
|
||||
return wrapErrSelf(err)
|
||||
@@ -107,7 +107,7 @@ func mountTmpfs(fsname, name string, size int, perm os.FileMode) error {
|
||||
opt += fmt.Sprintf(",size=%d", size)
|
||||
}
|
||||
return wrapErrSuffix(
|
||||
Mount(fsname, target, "tmpfs", MS_NOSUID|MS_NODEV, opt),
|
||||
Mount(fsname, target, "tmpfs", flags, opt),
|
||||
fmt.Sprintf("cannot mount tmpfs on %q:", name))
|
||||
}
|
||||
|
||||
|
||||
@@ -170,7 +170,7 @@ func (d MountDevOp) apply(params *Params) error {
|
||||
}
|
||||
target := toSysroot(v)
|
||||
|
||||
if err := mountTmpfs("devtmpfs", v, 0, params.ParentPerm); err != nil {
|
||||
if err := mountTmpfs("devtmpfs", v, MS_NOSUID|MS_NODEV, 0, params.ParentPerm); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -280,14 +280,22 @@ func init() { gob.Register(new(MountTmpfsOp)) }
|
||||
|
||||
// Tmpfs appends an [Op] that mounts tmpfs on container path [MountTmpfsOp.Path].
|
||||
func (f *Ops) Tmpfs(dest string, size int, perm os.FileMode) *Ops {
|
||||
*f = append(*f, &MountTmpfsOp{dest, size, perm})
|
||||
*f = append(*f, &MountTmpfsOp{"ephemeral", dest, MS_NOSUID | MS_NODEV, size, perm})
|
||||
return f
|
||||
}
|
||||
|
||||
// Readonly appends an [Op] that mounts read-only tmpfs on container path [MountTmpfsOp.Path].
|
||||
func (f *Ops) Readonly(dest string, perm os.FileMode) *Ops {
|
||||
*f = append(*f, &MountTmpfsOp{"readonly", dest, MS_RDONLY | MS_NOSUID | MS_NODEV, 0, perm})
|
||||
return f
|
||||
}
|
||||
|
||||
type MountTmpfsOp struct {
|
||||
Path string
|
||||
Size int
|
||||
Perm os.FileMode
|
||||
FSName string
|
||||
Path string
|
||||
Flags uintptr
|
||||
Size int
|
||||
Perm os.FileMode
|
||||
}
|
||||
|
||||
func (t *MountTmpfsOp) early(*Params) error { return nil }
|
||||
@@ -298,7 +306,7 @@ func (t *MountTmpfsOp) apply(*Params) error {
|
||||
if t.Size < 0 || t.Size > math.MaxUint>>1 {
|
||||
return msg.WrapErr(EBADE, fmt.Sprintf("size %d out of bounds", t.Size))
|
||||
}
|
||||
return mountTmpfs("tmpfs", t.Path, t.Size, t.Perm)
|
||||
return mountTmpfs(t.FSName, t.Path, t.Flags, t.Size, t.Perm)
|
||||
}
|
||||
|
||||
func (t *MountTmpfsOp) Is(op Op) bool { vt, ok := op.(*MountTmpfsOp); return ok && *t == *vt }
|
||||
|
||||
Reference in New Issue
Block a user