util: use private propagation with bind

when the "bind" option is used, do not use the "rprivate" propagation as it would inhibit the effect of "bind", instead default to "private". Closes: #22107 Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Mar 21, 2024 · 4740367 · 4740367
1 parent 9a13b8f
commit 4740367
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/pkg/util/mount_opts.go b/pkg/util/mount_opts.go
@@ -37,6 +37,8 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 		foundWrite, foundSize, foundProp, foundMode, foundExec, foundSuid, foundDev, foundCopyUp, foundBind, foundZ, foundU, foundOverlay, foundIdmap, foundCopy, foundNoSwap, foundNoDereference bool
 	)
 
+	recursiveBind := true
+
 	newOptions := make([]string, 0, len(options))
 	for _, opt := range options {
 		// Some options have parameters - size, mode
@@ -159,7 +161,10 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 				return nil, fmt.Errorf("the 'no-dereference' option can only be set once: %w", ErrDupeMntOption)
 			}
 			foundNoDereference = true
-		case define.TypeBind, "rbind":
+		case define.TypeBind:
+			recursiveBind = false
+			fallthrough
+		case "rbind":
 			if isTmpfs {
 				return nil, fmt.Errorf("the 'bind' and 'rbind' options are not allowed with tmpfs mounts: %w", ErrBadMntOption)
 			}
@@ -190,7 +195,11 @@ func processOptionsInternal(options []string, isTmpfs bool, sourcePath string, g
 		newOptions = append(newOptions, "rw")
 	}
 	if !foundProp {
-		newOptions = append(newOptions, "rprivate")
+		if recursiveBind {
+			newOptions = append(newOptions, "rprivate")
+		} else {
+			newOptions = append(newOptions, "private")
+		}
 	}
 	defaults, err := getDefaultMountOptions(sourcePath)
 	if err != nil {

diff --git a/pkg/util/utils_test.go b/pkg/util/utils_test.go
@@ -742,6 +742,12 @@ func TestProcessOptions(t *testing.T) {
 			sourcePath: "/path/to/source",
 			expected:   []string{"nodev", "nosuid", "rbind", "rprivate", "rw"},
 		},
+		{
+			name:       "default bind mount with bind",
+			sourcePath: "/path/to/source",
+			options:    []string{"bind"},
+			expected:   []string{"nodev", "nosuid", "bind", "private", "rw"},
+		},
 	}
 
 	for _, tt := range tests {