project-lakitu/app-containers/containerd/files/1.7.0-Add-mounts-for-resolv-conf-runtime-spec.patch - cos/overlays/board-overlays - Git at Google

 From 0aad93f08ca4da8f33ad709dbe49593f6ff5c59c Mon Sep 17 00:00:00 2001
 From: Vinayak Goyal <vinaygo@google.com>
 Date: Fri, 24 Mar 2023 21:34:34 +0000
 Subject: [PATCH 1/3] Add noexec nodev and nosuid to sandbox /etc/resolv.conf
  mount bind.

 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 (cherry picked from commit ae4dbb60d5e339bfcd5e8f41cdb0f8418e35ce54)
 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 ---
  pkg/cri/server/sandbox_run_linux.go | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go
 index 381b38b8928..939fa63d435 100644
 --- a/pkg/cri/server/sandbox_run_linux.go
 +++ b/pkg/cri/server/sandbox_run_linux.go
 @@ -135,7 +135,7 @@ func (c *criService) sandboxContainerSpec(id string, config *runtime.PodSandboxC
  			Source:      c.getResolvPath(id),
  			Destination: resolvConfPath,
  			Type:        "bind",
 -			Options:     []string{"rbind", "ro"},
 +			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
  		},
  	}))


 From 5e953cfa62abb90b2c4dc775907cbb276637bfe8 Mon Sep 17 00:00:00 2001
 From: Vinayak Goyal <vinaygo@google.com>
 Date: Wed, 29 Mar 2023 18:36:01 +0000
 Subject: [PATCH 2/3] Test to ensure nosuid,nodev,noexec are set on
  /etc/reolv.conf mount.

 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 (cherry picked from commit 990199a021fcbb5330cc3e050e581565f025366e)
 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 ---
  pkg/cri/server/sandbox_run_linux_test.go | 8 ++++++++
  1 file changed, 8 insertions(+)

 diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go
 index 9c646e06947..70209a45d27 100644
 --- a/pkg/cri/server/sandbox_run_linux_test.go
 +++ b/pkg/cri/server/sandbox_run_linux_test.go
 @@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
  			assert.NotEqual(t, "", spec.Process.SelinuxLabel)
  			assert.NotEqual(t, "", spec.Linux.MountLabel)
  		}
 +
 +		assert.Contains(t, spec.Mounts, runtimespec.Mount{
 +			Source:      "/test/root/sandboxes/test-id/resolv.conf",
 +			Destination: resolvConfPath,
 +			Type:        "bind",
 +			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
 +		})
 +
  	}
  	return config, imageConfig, specCheck
  }

 From 9b4935d86436419670febe9695787a3aaf5ceeb7 Mon Sep 17 00:00:00 2001
 From: Vinayak Goyal <vinaygo@google.com>
 Date: Thu, 30 Mar 2023 21:52:19 +0000
 Subject: [PATCH 3/3] Update sbserver to add noexec nodev and nosuid to
  /etc/resolv.conf mount bind.

 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 (cherry picked from commit ac84bf7c893bcce52e0ba7a44c9e37e02c945d0d)
 Signed-off-by: Vinayak Goyal <vinaygo@google.com>
 ---
  pkg/cri/sbserver/podsandbox/sandbox_run_linux.go      | 2 +-
  pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go | 8 ++++++++
  2 files changed, 9 insertions(+), 1 deletion(-)

 diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
 index 437d792ceee..d0f95a706e7 100644
 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
 +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
 @@ -117,7 +117,7 @@ func (c *Controller) sandboxContainerSpec(id string, config *runtime.PodSandboxC
  			Source:      c.getResolvPath(id),
  			Destination: resolvConfPath,
  			Type:        "bind",
 -			Options:     []string{"rbind", "ro"},
 +			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
  		},
  	}))

 diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
 index 27996a1a37e..4f63407785b 100644
 --- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
 +++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
 @@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (*runtime.PodSandboxConfig, *imagespec.ImageConf
  			assert.NotEqual(t, "", spec.Process.SelinuxLabel)
  			assert.NotEqual(t, "", spec.Linux.MountLabel)
  		}
 +
 +		assert.Contains(t, spec.Mounts, runtimespec.Mount{
 +			Source:      "/test/root/sandboxes/test-id/resolv.conf",
 +			Destination: resolvConfPath,
 +			Type:        "bind",
 +			Options:     []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
 +		})
 +
  	}
  	return config, imageConfig, specCheck
  }
	From 0aad93f08ca4da8f33ad709dbe49593f6ff5c59c Mon Sep 17 00:00:00 2001
	From: Vinayak Goyal <vinaygo@google.com>
	Date: Fri, 24 Mar 2023 21:34:34 +0000
	Subject: [PATCH 1/3] Add noexec nodev and nosuid to sandbox /etc/resolv.conf
	mount bind.

	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	(cherry picked from commit ae4dbb60d5e339bfcd5e8f41cdb0f8418e35ce54)
	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	---
	pkg/cri/server/sandbox_run_linux.go \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/pkg/cri/server/sandbox_run_linux.go b/pkg/cri/server/sandbox_run_linux.go
	index 381b38b8928..939fa63d435 100644
	--- a/pkg/cri/server/sandbox_run_linux.go
	+++ b/pkg/cri/server/sandbox_run_linux.go
	@@ -135,7 +135,7 @@ func (c criService) sandboxContainerSpec(id string, config runtime.PodSandboxC
	Source: c.getResolvPath(id),
	Destination: resolvConfPath,
	Type: "bind",
	- Options: []string{"rbind", "ro"},
	+ Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
	},
	}))


	From 5e953cfa62abb90b2c4dc775907cbb276637bfe8 Mon Sep 17 00:00:00 2001
	From: Vinayak Goyal <vinaygo@google.com>
	Date: Wed, 29 Mar 2023 18:36:01 +0000
	Subject: [PATCH 2/3] Test to ensure nosuid,nodev,noexec are set on
	/etc/reolv.conf mount.

	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	(cherry picked from commit 990199a021fcbb5330cc3e050e581565f025366e)
	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	---
	pkg/cri/server/sandbox_run_linux_test.go \| 8 ++++++++
	1 file changed, 8 insertions(+)

	diff --git a/pkg/cri/server/sandbox_run_linux_test.go b/pkg/cri/server/sandbox_run_linux_test.go
	index 9c646e06947..70209a45d27 100644
	--- a/pkg/cri/server/sandbox_run_linux_test.go
	+++ b/pkg/cri/server/sandbox_run_linux_test.go
	@@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (runtime.PodSandboxConfig, imagespec.ImageConf
	assert.NotEqual(t, "", spec.Process.SelinuxLabel)
	assert.NotEqual(t, "", spec.Linux.MountLabel)
	}
	+
	+ assert.Contains(t, spec.Mounts, runtimespec.Mount{
	+ Source: "/test/root/sandboxes/test-id/resolv.conf",
	+ Destination: resolvConfPath,
	+ Type: "bind",
	+ Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
	+ })
	+
	}
	return config, imageConfig, specCheck
	}

	From 9b4935d86436419670febe9695787a3aaf5ceeb7 Mon Sep 17 00:00:00 2001
	From: Vinayak Goyal <vinaygo@google.com>
	Date: Thu, 30 Mar 2023 21:52:19 +0000
	Subject: [PATCH 3/3] Update sbserver to add noexec nodev and nosuid to
	/etc/resolv.conf mount bind.

	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	(cherry picked from commit ac84bf7c893bcce52e0ba7a44c9e37e02c945d0d)
	Signed-off-by: Vinayak Goyal <vinaygo@google.com>
	---
	pkg/cri/sbserver/podsandbox/sandbox_run_linux.go \| 2 +-
	pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go \| 8 ++++++++
	2 files changed, 9 insertions(+), 1 deletion(-)

	diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
	index 437d792ceee..d0f95a706e7 100644
	--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
	+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux.go
	@@ -117,7 +117,7 @@ func (c Controller) sandboxContainerSpec(id string, config runtime.PodSandboxC
	Source: c.getResolvPath(id),
	Destination: resolvConfPath,
	Type: "bind",
	- Options: []string{"rbind", "ro"},
	+ Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
	},
	}))

	diff --git a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
	index 27996a1a37e..4f63407785b 100644
	--- a/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
	+++ b/pkg/cri/sbserver/podsandbox/sandbox_run_linux_test.go
	@@ -91,6 +91,14 @@ func getRunPodSandboxTestData() (runtime.PodSandboxConfig, imagespec.ImageConf
	assert.NotEqual(t, "", spec.Process.SelinuxLabel)
	assert.NotEqual(t, "", spec.Linux.MountLabel)
	}
	+
	+ assert.Contains(t, spec.Mounts, runtimespec.Mount{
	+ Source: "/test/root/sandboxes/test-id/resolv.conf",
	+ Destination: resolvConfPath,
	+ Type: "bind",
	+ Options: []string{"rbind", "ro", "nosuid", "nodev", "noexec"},
	+ })
	+
	}
	return config, imageConfig, specCheck
	}