From 2d7d8d1d108f5a363d4e0479c57c207839110a54 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 7 Sep 2023 07:45:45 -0400 Subject: [PATCH] Tmpfs should not be mounted noexec The logic here makes little sense, basically the /tmp and /var/tmp are always set noexec, while /run is not. I don't see a reason to set any of the three noexec by default. Fixes: https://github.com/containers/podman/issues/19886 Signed-off-by: Daniel J Walsh --- pkg/specgen/generate/storage.go | 3 --- test/system/700-play.bats | 14 +++++++++++++- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/specgen/generate/storage.go b/pkg/specgen/generate/storage.go index b907756c46..5052298c57 100644 --- a/pkg/specgen/generate/storage.go +++ b/pkg/specgen/generate/storage.go @@ -462,9 +462,6 @@ func addReadWriteTmpfsMounts(mounts map[string]spec.Mount, volumes []*specgen.Na Source: define.TypeTmpfs, Options: options, } - if dest != runPath { - mnt.Options = append(mnt.Options, "noexec") - } mounts[dest] = mnt } return mounts diff --git a/test/system/700-play.bats b/test/system/700-play.bats index 67e83c2286..fd72508325 100644 --- a/test/system/700-play.bats +++ b/test/system/700-play.bats @@ -281,7 +281,7 @@ EOF # will spin for indeterminate time. run_podman create --pod new:pod1 --restart=no --name test1 $IMAGE touch /testrw run_podman create --pod pod1 --read-only --restart=no --name test2 $IMAGE touch /testro - run_podman create --pod pod1 --read-only --restart=no --name test3 $IMAGE touch /tmp/testtmp + run_podman create --pod pod1 --read-only --restart=no --name test3 $IMAGE sh -c "echo "#!echo hi" > /tmp/testtmp; chmod +x /tmp/test/tmp; /tmp/testtmp" # Generate and run from yaml. (The "cat" is for debugging failures) run_podman kube generate pod1 -f $YAML @@ -765,6 +765,18 @@ EOF run_podman rm -a } +@test "podman kube generate tmpfs on /tmp" { + KUBE=$PODMAN_TMPDIR/kube.yaml + run_podman create --name test $IMAGE sleep 100 + run_podman kube generate test -f $KUBE + run_podman kube play $KUBE + run_podman exec test-pod-test sh -c "mount | grep /tmp" + assert "$output" !~ "noexec" "mounts on /tmp should not be noexec" + run_podman kube down $KUBE + run_podman pod rm -a -f -t 0 + run_podman rm -a -f -t 0 +} + @test "podman kube play - pull policy" { skip_if_remote "pull debug logs only work locally"