Add OverlayedReadOnly mount type

staticfloat · staticfloat · commit a3320d4ddcb4 · 2025-01-28T15:07:13.000Z
diff --git a/deps/userns_sandbox.c b/deps/userns_sandbox.c
@@ -51,6 +51,7 @@ enum {
   MOUNT_TYPE_READWRITE,
   MOUNT_TYPE_READONLY,
   MOUNT_TYPE_OVERLAYED,
+  MOUNT_TYPE_OVERLAYED_READONLY,
 };
 
 // Linked list of volume mappings
@@ -177,15 +178,20 @@ static void mount_the_world(const char * root_dir,
     // setting the bind-mount to be read-only if requested.
     bind_mount(entry->outside_path,
                path,
-               entry->type == MOUNT_TYPE_READONLY || entry->type == MOUNT_TYPE_OVERLAYED);
+               entry->type == MOUNT_TYPE_READONLY || entry->type == MOUNT_TYPE_OVERLAYED || entry->type == MOUNT_TYPE_OVERLAYED_READONLY);
 
     // If we're dealing with an overlayed mount, create a unique
     // name to store the state of this mount within our `persist_dir`.
-    if (entry->type == MOUNT_TYPE_OVERLAYED) {
+    if (entry->type == MOUNT_TYPE_OVERLAYED || entry->type == MOUNT_TYPE_OVERLAYED_READONLY) {
       char bname[PATH_MAX];
       hashed_basename(&bname[0], entry->mount_point);
       check(TRUE == mount_overlay(path, path, bname, persist_dir, userxattr));
       check(0 == chown(path, uid, gid));
+
+      // If this is a "read-only" overlay mount, remount as read-only here.
+      if (entry->type == MOUNT_TYPE_OVERLAYED_READONLY) {
+        check(0 == mount("overlay", path, "overlay", MS_REMOUNT|MS_RDONLY, ""));
+      }
     }
     entry = entry->prev;
   }
@@ -446,6 +452,8 @@ int main(int sandbox_argc, char **sandbox_argv) {
             mount_type = MOUNT_TYPE_READONLY;
           } else if (strcmp(mount_str, "ov") == 0) {
             mount_type = MOUNT_TYPE_OVERLAYED;
+          } else if (strcmp(mount_str, "rov") == 0) {
+            mount_type = MOUNT_TYPE_OVERLAYED_READONLY;
           } else if (strcmp(mount_str, "rw") == 0) {
             mount_type = MOUNT_TYPE_READWRITE;
           } else {
diff --git a/src/Docker.jl b/src/Docker.jl
@@ -186,7 +186,7 @@ function build_executor_command(exe::DockerExecutor, config::SandboxConfig, user
         local mount_type_str
         if mount_info.type == MountType.ReadOnly
             mount_type_str = ":ro"
-        elseif mount_info.type == MountType.Overlayed
+        elseif mount_info.type ∈ (MountType.Overlayed, MountType.OverlayedReadOnly)
             continue
         elseif mount_info.type == MountType.ReadWrite
             mount_type_str = ""
diff --git a/src/SandboxConfig.jl b/src/SandboxConfig.jl
@@ -5,6 +5,7 @@ const AnyRedirectable = Union{Base.AbstractCmd, Base.TTY, <:IO}
     ReadWrite
     ReadOnly
     Overlayed
+    OverlayedReadOnly
 end
 struct MountInfo
     host_path::String
diff --git a/src/UserNamespaces.jl b/src/UserNamespaces.jl
@@ -161,6 +161,8 @@ function build_executor_command(exe::UserNamespacesExecutor, config::SandboxConf
             mount_type_str = ":rw"
         elseif mount_info.type == MountType.Overlayed
             mount_type_str = ":ov"
+        elseif mount_info.type == MountType.OverlayedReadOnly
+            mount_type_str = ":rov"
         else
             throw(ArgumentError("Unknown mount type: $(mount_info.type)"))
         end
diff --git a/test/Sandbox.jl b/test/Sandbox.jl
@@ -99,7 +99,6 @@ for executor in all_executors
 
         @testset "writing to mounts" begin
             mktempdir() do dir
-                stdout = IOBuffer()
                 config = SandboxConfig(
                     Dict(
                         "/" => MountInfo(rootfs_dir, MountType.Overlayed),
@@ -114,6 +113,21 @@ for executor in all_executors
             end
         end
 
+        @testset "OverlayedReadOnly" begin
+            mktempdir() do dir
+                config = SandboxConfig(
+                    Dict(
+                        "/" => MountInfo(rootfs_dir, MountType.Overlayed),
+                        "/read_only" => MountInfo(dir, MountType.OverlayedReadOnly),
+                    );
+                )
+                with_executor(executor) do exe
+                    @test success(exe, config, `/bin/sh -c "[ -d /read_only ]"`)
+                    @test !success(exe, config, `/bin/sh -c "echo aperture > /read_only/error.txt 2>&1"`)
+                end
+            end
+        end
+
         @testset "pipelining" begin
             pipe = PipeBuffer()
             stdout = IOBuffer()
