Merge pull request #1594 from NVIDIA/backport-1593-to-release-1.18

[release-1.18] Ensure that IPC sockets are not mounted read-only

Author: elezar

internal/discover/ipc.go

@@ -21,6 +21,15 @@ import (
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/lookup"
 )
 
+// ipcMountOptions defines the mount options for IPC sockets.
+var ipcMountOptions = []string{
+	"nosuid",
+	"nodev",
+	"rbind",
+	"rprivate",
+	"noexec",
+}
+
 type ipcMounts mounts
 
 // NewIPCDiscoverer creats a discoverer for NVIDIA IPC sockets.
@@ -60,7 +69,7 @@ func NewIPCDiscoverer(logger logger.Interface, driverRoot string) (Discover, err
 	return d, nil
 }
 
-// Mounts returns the discovered mounts with "noexec" added to the mount options.
+// Mounts returns the discovered mounts with IPC-specific mount options.
 func (d *ipcMounts) Mounts() ([]Mount, error) {
 	mounts, err := (*mounts)(d).Mounts()
 	if err != nil {
@@ -70,7 +79,7 @@ func (d *ipcMounts) Mounts() ([]Mount, error) {
 	var modifiedMounts []Mount
 	for _, m := range mounts {
 		mount := m
-		mount.Options = append(mount.Options, "noexec")
+		mount.Options = ipcMountOptions
 		modifiedMounts = append(modifiedMounts, mount)
 	}
 

internal/discover/ipc_test.go

@@ -49,7 +49,6 @@ func TestIPCMounts(t *testing.T) {
 				HostPath: "/host/path",
 				Path:     "/host/path",
 				Options: []string{
-					"ro",
 					"nosuid",
 					"nodev",
 					"rbind",