From 4999abafbcef03a977dc6d4a35c0127a4c4ec1f8 Mon Sep 17 00:00:00 2001
From: "W. Trevor King" <wking@tremily.us>
Date: Wed, 10 May 2017 17:30:57 -0700
Subject: [PATCH] libcontainer/specconv/spec_linux: defaults should not be a
 no-op

It has been since it landed in 9fac1832 (Initial commit of runc
binary, 2015-06-21), but the spec currently references mount(8) for
these options [1] and mount(8) has:

  defaults
    Use the default options: rw, suid, dev, exec, auto, nouser, and
    async.

    Note that the real set of all default mount options depends on
    kernel and filesystem type.  See the beginning of this section for
    more details.

I exepect that "real set" paragraph applies to:

  Note that filesystems also have per-filesystem specific default
  mount options (see for example tune2fs -l output for extN
  filesystems).

This commit sets up 'defaults' according to that option list, but does
not do anything about 'auto' or 'nouser', which do not map to MS_*
flags and only apply to fstab entries.

For what its worth, util-linux 2.28.2 seems to ignore 'defaults'
instead of clearing bits:

  # strace -o /tmp/trace mount -t tmpfs -o ro,defaults - /tmp/a
  # grep 'mount(' /tmp/trace
  mount("-", "/tmp/a", "tmpfs", MS_MGC_VAL|MS_RDONLY, NULL) = 0

While a single-bit clear option does unset an earlier bit:

  # strace -o /tmp/trace mount -t tmpfs -o ro,rw - /tmp/a
  # grep 'mount(' /tmp/trace
  mount("-", "/tmp/a", "tmpfs", MS_MGC_VAL, NULL) = 0

but the spec is currnently punting to the util-linux mount(8) page and
not to the util-linux implementation.

[1]: https://github.com/opencontainers/runtime-spec/blame/v1.0.0-rc5/config.md#L68
[2]: http://man7.org/linux/man-pages/man8/mount.8.html#FILESYSTEM-INDEPENDENT_MOUNT%20OPTIONS

Signed-off-by: W. Trevor King <wking@tremily.us>
---
 libcontainer/specconv/spec_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libcontainer/specconv/spec_linux.go b/libcontainer/specconv/spec_linux.go
index 1575ae03793..5c602ced936 100644
--- a/libcontainer/specconv/spec_linux.go
+++ b/libcontainer/specconv/spec_linux.go
@@ -641,7 +641,7 @@ func parseMountOptions(options []string) (int, []int, string, int) {
 		"async":         {true, syscall.MS_SYNCHRONOUS},
 		"atime":         {true, syscall.MS_NOATIME},
 		"bind":          {false, syscall.MS_BIND},
-		"defaults":      {false, 0},
+		"defaults":      {true, syscall.MS_NODEV | syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_RDONLY | syscall.MS_SYNCHRONOUS},
 		"dev":           {true, syscall.MS_NODEV},
 		"diratime":      {true, syscall.MS_NODIRATIME},
 		"dirsync":       {false, syscall.MS_DIRSYNC},