Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / ff7452b586134e18af9f1362d7b96dcb64aa8d71^! / . / metropolis / node
commitff7452b586134e18af9f1362d7b96dcb64aa8d71[log] [tgz]
authorJan Schär <jan@monogon.tech>Thu Nov 28 13:08:55 2024 +0100
committerJan Schär <jan@monogon.tech>Thu Nov 28 14:45:57 2024 +0000
tree7e3b9fe5c161cedf1073a086d0b6e5511b20bd98
parent231ee041b652ab2aea6a64e0c4929fa4beb5851b [diff]
m/node/kubernetes: mount PVs with noexec on the host

Now that runc always replaces per-mount-point flags when bind-mounting
volumes inside the container, we can mount them with noexec on the host
without affecting workloads. This has some security advantages, as any
executables in volumes are no longer executable from the host.

Change-Id: Id5a8ea8caf702fca58d300fc9e17c21e94ebaf13
Reviewed-on: https://review.monogon.dev/c/monogon/+/3660
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/node/kubernetes/csi.go b/metropolis/node/kubernetes/csi.go
index f7ff00a..c4e793d 100644
--- a/metropolis/node/kubernetes/csi.go
+++ b/metropolis/node/kubernetes/csi.go

@@ -115,7 +115,7 @@
 			return nil, status.Errorf(codes.Unavailable, "failed to bind-mount volume: %v", err)
 		}
 
-		var flags uintptr = unix.MS_REMOUNT | unix.MS_BIND
+		var flags uintptr = unix.MS_REMOUNT | unix.MS_BIND | unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV
 		if req.Readonly {
 			flags |= unix.MS_RDONLY
 		}