[pve-devel] [PATCH container 1/2] fix #1451: add more mount options for containers

[Oguz Bektas]

added atime-related options (noatime, nodiratime, strictatime,
relatime), and some other security-related mount options (noexec,
nosuid, nobarrier, nodev) for container mountpoints (and rootfs).

Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
---
 src/PVE/LXC.pm        | 19 +++++++++++++++++--
 src/PVE/LXC/Config.pm | 26 ++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 62b6b8c..81cffff 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1415,11 +1415,26 @@ sub mountpoint_mount {
 
     die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
 
-    my $optstring = '';
+    my @mount_options = qw(nosuid noexec nodev nobarrier);
+    my $optlist = [];
+    foreach my $opt (@mount_options) {
+	if (defined $mountpoint->{$opt}) {
+	    push @$optlist, $opt;
+	}
+    }
+
     my $acl = $mountpoint->{acl};
     if (defined($acl)) {
-	$optstring .= ($acl ? 'acl' : 'noacl');
+	push @$optlist, ($acl ? 'acl' : 'noacl');
     }
+
+    my $atime = $mountpoint->{atime};
+    if (defined($atime)) {
+	push @$optlist, $atime;
+    }
+
+    my $optstring = '';
+    $optstring = join(',', @$optlist);
     my $readonly = $mountpoint->{ro};
 
     my @extra_opts;
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 8dcd73c..d796a45 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -236,6 +236,32 @@ my $rootfs_desc = {
 	description => 'Explicitly enable or disable ACL support.',
 	optional => 1,
     },
+    atime => {
+	type => 'string',
+	description => 'Option for atime',
+	optional => 1,
+	enum => [qw(noatime nodiratime relatime strictatime)],
+    },
+    nosuid => {
+	type => 'boolean',
+	description => 'Disable suid.',
+	optional => 1,
+    },
+    noexec => {
+	type => 'boolean',
+	description => 'Disable ability to execute.',
+	optional => 1,
+    },
+    nodev => {
+	type => 'boolean',
+	description => 'Disable devices.',
+	optional => 1,
+    },
+    nobarrier => {
+	type => 'boolean',
+	description => 'Disable write barriers.',
+	optional => 1,
+    },
     ro => {
 	type => 'boolean',
 	description => 'Read-only mount point',
-- 
2.11.0