From 145b71b376faa060609bfe06045b357d1c7d026a Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Sun, 19 Apr 2020 13:26:53 -0400 Subject: [PATCH] Partially implement MountSensitive We still don't actually support sensitive options, but it doesn't look like we need them, MountSensitive is just called with empty sensitiveOptions in a few places. Issue #8908 --- protokube/pkg/hostmount/nsenter_linux.go | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/protokube/pkg/hostmount/nsenter_linux.go b/protokube/pkg/hostmount/nsenter_linux.go index 736d8a631d..62e06e8697 100644 --- a/protokube/pkg/hostmount/nsenter_linux.go +++ b/protokube/pkg/hostmount/nsenter_linux.go @@ -51,7 +51,19 @@ func (*Mounter) List() ([]mount.MountPoint, error) { // Mount runs mount(8) in the host's root mount namespace. Aside from this // aspect, Mount has the same semantics as the mounter returned by mount.New() func (n *Mounter) Mount(source string, target string, fstype string, options []string) error { - bind, bindOpts, bindRemountOpts := mount.MakeBindOpts(options) + return n.MountSensitive(source, target, fstype, options, nil) +} + +// MountSensitive is the same as Mount() but this method allows +// sensitiveOptions to be passed in a separate parameter from the normal +// mount options and ensures the sensitiveOptions are never logged. This +// method should be used by callers that pass sensitive material (like +// passwords) as mount options. +func (n *Mounter) MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error { + bind, bindOpts, bindRemountOpts, bindRemountSensitiveOpts := mount.MakeBindOptsSensitive(options, sensitiveOptions) + if len(bindRemountSensitiveOpts) != 0 { + return fmt.Errorf("sensitiveOptions not supported by implementation of MountSensitive") + } if bind { err := n.doNsenterMount(source, target, fstype, bindOpts) @@ -116,10 +128,6 @@ func (n *Mounter) makeNsenterArgs(source, target, fstype string, options []strin // We deliberately implement only the functions we need, so we don't have to maintain them... -func (n *Mounter) MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error { - return fmt.Errorf("MountSensitive not implemented for containerized mounter") -} - func (n *Mounter) GetMountRefs(pathname string) ([]string, error) { return nil, fmt.Errorf("GetMountRefs not implemented for containerized mounter") }