Skip to content

Commit 0ae642f

Browse files
Luap99TomSweeneyRedHat
authored andcommitted
[v4.4.1-rhel] do not pass volume-opt as bind mounts options to runtime
Starting with runc 1.3.0 it errors when we pass unknown mount options to the runtime, the volume-opt options are specifc to the volume we create and should not be passed to the mount in the oci spec. Fixes: podman-container-tools#26938 (originally) Follow up PR to: podman-container-tools#28092 Just before merging it was realized that the commit in this PR were also needed to completely address CVE-2025-52881 Fixes: https://issues.redhat.com/browse/OCPBUGS-67036, https://issues.redhat.com/browse/OCPBUGS-67053, https://issues.redhat.com/browse/OCPBUGS-67070, https://issues.redhat.com/browse/OCPBUGS-67090, https://issues.redhat.com/browse/RHEL-134783, https://issues.redhat.com/browse/RHEL-134787 Signed-off-by: Paul Holzinger <pholzing@redhat.com> (cherry picked from commit 4e2a04d) Signed-off-by: Tom Sweeney <tsweeney@redhat.com>
1 parent dfe1819 commit 0ae642f

2 files changed

Lines changed: 25 additions & 7 deletions

File tree

libpod/runtime_ctr.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -479,6 +479,15 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
479479
_, err := r.state.Volume(vol.Name)
480480
if err == nil {
481481
// The volume exists, we're good
482+
// Make sure to drop all volume-opt options as they only apply to
483+
// the volume create which we don't do again.
484+
var volOpts []string
485+
for _, opts := range vol.Options {
486+
if !strings.HasPrefix(opts, "volume-opt") {
487+
volOpts = append(volOpts, opts)
488+
}
489+
}
490+
vol.Options = volOpts
482491
continue
483492
} else if !errors.Is(err, define.ErrNoSuchVolume) {
484493
return nil, fmt.Errorf("retrieving named volume %s for new container: %w", vol.Name, err)
@@ -504,6 +513,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
504513
if len(vol.Options) > 0 {
505514
isDriverOpts := false
506515
driverOpts := make(map[string]string)
516+
var volOpts []string
507517
for _, opts := range vol.Options {
508518
if opts == "idmap" {
509519
needsChown = false
@@ -515,8 +525,11 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
515525
return nil, err
516526
}
517527
driverOpts[driverOptKey] = driverOptValue
528+
} else {
529+
volOpts = append(volOpts, opts)
518530
}
519531
}
532+
vol.Options = volOpts
520533
if isDriverOpts {
521534
parsedOptions := []VolumeCreateOption{WithVolumeOptions(driverOpts)}
522535
volOptions = append(volOptions, parsedOptions...)

test/e2e/run_volume_test.go

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"os/exec"
77
"os/user"
88
"path/filepath"
9+
"strconv"
910
"strings"
1011

1112
. "github.com/containers/podman/v4/test/utils"
@@ -875,14 +876,18 @@ VOLUME /test/`, ALPINE)
875876
It("podman run with --mount and named volume with driver-opts", func() {
876877
// anonymous volume mount with driver opts
877878
vol := "type=volume,source=test_vol,dst=/test,volume-opt=type=tmpfs,volume-opt=device=tmpfs,volume-opt=o=nodev"
878-
session := podmanTest.Podman([]string{"run", "--rm", "--mount", vol, ALPINE, "echo", "hello"})
879-
session.WaitWithDefaultTimeout()
880-
Expect(session).Should(Exit(0))
881879

882-
inspectVol := podmanTest.Podman([]string{"volume", "inspect", "test_vol"})
883-
inspectVol.WaitWithDefaultTimeout()
884-
Expect(inspectVol).Should(Exit(0))
885-
Expect(inspectVol.OutputToString()).To(ContainSubstring("nodev"))
880+
// Loop twice to cover both the initial code path that creates the volume and the ones which reuses it.
881+
for i := range 2 {
882+
name := "testctr" + strconv.Itoa(i)
883+
podmanTest.PodmanExitCleanly("run", "--name", name, "--mount", vol, ALPINE, "echo", "hello")
884+
885+
inspectVol := podmanTest.PodmanExitCleanly("volume", "inspect", "test_vol")
886+
Expect(inspectVol.OutputToString()).To(ContainSubstring("nodev"))
887+
888+
inspect := podmanTest.PodmanExitCleanly("container", "inspect", name, "--format", "{{range .Mounts}}{{.Options}}{{end}}")
889+
Expect(inspect.OutputToString()).To(ContainSubstring("[nosuid nodev rbind]"))
890+
}
886891
})
887892

888893
It("volume permissions after run", func() {

0 commit comments

Comments
 (0)