Ensure that ro mounts are remounted

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Michael Crosby 2014-04-07 18:23:22 -07:00
parent 1adf0ae8a4
commit 8824b08802

View file

@ -37,14 +37,21 @@ func setupNewMountNamespace(rootfs string, bindMounts []libcontainer.Mount, cons
} }
for _, m := range bindMounts { for _, m := range bindMounts {
flags := syscall.MS_BIND | syscall.MS_REC var (
flags = syscall.MS_BIND | syscall.MS_REC
dest = filepath.Join(rootfs, m.Destination)
)
if !m.Writable { if !m.Writable {
flags = flags | syscall.MS_RDONLY flags = flags | syscall.MS_RDONLY
} }
dest := filepath.Join(rootfs, m.Destination)
if err := system.Mount(m.Source, dest, "bind", uintptr(flags), ""); err != nil { if err := system.Mount(m.Source, dest, "bind", uintptr(flags), ""); err != nil {
return fmt.Errorf("mounting %s into %s %s", m.Source, dest, err) return fmt.Errorf("mounting %s into %s %s", m.Source, dest, err)
} }
if !m.Writable {
if err := system.Mount(m.Source, dest, "bind", uintptr(flags|syscall.MS_REMOUNT), ""); err != nil {
return fmt.Errorf("remounting %s into %s %s", m.Source, dest, err)
}
}
if m.Private { if m.Private {
if err := system.Mount("", dest, "none", uintptr(syscall.MS_PRIVATE), ""); err != nil { if err := system.Mount("", dest, "none", uintptr(syscall.MS_PRIVATE), ""); err != nil {
return fmt.Errorf("mounting %s private %s", dest, err) return fmt.Errorf("mounting %s private %s", dest, err)