linux: Add src-nofollow & dest-nofollow options

giuseppe · giuseppe · commit 6d58afd42dc5 · 2025-05-27T18:26:46.000+02:00
Introduce `src-nofollow` and `dest-nofollow` bind mount options for more precise control over symbolic link handling. The `src-nofollow` option enables mounting the source symbolic link itself, rather than its target. The `dest-nofollow` option ensures that if the destination path is a symbolic link, the mount operation replaces the symbolic link itself, instead of dereferencing it and mounting to its target. Closes: containers#1761 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
diff --git a/crun.1 b/crun.1
@@ -661,6 +661,16 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+.SH dest-nofollow
+When this option is specified for a bind mount, and the destination of
+the bind mount is a symbolic link, \fBcrun\fR will mount the symbolic link
+itself at the target destination.
+
+.SH src-nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, \fBcrun\fR will use the symlink itself
+rather than the file or directory the symbolic link points to.
+
 .SH r$FLAG mount options
 If a \fBr$FLAG\fR mount option is specified then the flag \fB$FLAG\fR is set
 recursively for each children mount.
diff --git a/crun.1.md b/crun.1.md
@@ -571,6 +571,16 @@ destination instead of attempting a mount that would resolve the
 symlink itself.  If the destination already exists and it is not a
 symlink with the expected content, crun will return an error.
 
+## dest-nofollow
+When this option is specified for a bind mount, and the destination of
+the bind mount is a symbolic link, `crun` will mount the symbolic link
+itself at the target destination.
+
+## src-nofollow
+When this option is specified for a bind mount, and the source of the
+bind mount is a symbolic link, `crun` will use the symlink itself
+rather than the file or directory the symbolic link points to.
+
 ## r$FLAG mount options
 
 If a `r$FLAG` mount option is specified then the flag `$FLAG` is set
diff --git a/src/libcrun/linux.c b/src/libcrun/linux.c
@@ -2070,6 +2070,7 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
   for (i = 0; i < def->mounts_len; i++)
     {
       const char *target = consume_slashes (def->mounts[i]->destination);
+      cleanup_close int source_mountfd = -1;
       cleanup_free char *data = NULL;
       char *type;
       char *source;
@@ -2083,6 +2084,9 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
       uint64_t rec_clear = 0;
       uint64_t rec_set = 0;
 
+      if (mount_fds)
+        source_mountfd = get_and_reset (&(mount_fds->fds[i]));
+
       type = def->mounts[i]->type;
 
       if (def->mounts[i]->options == NULL)
@@ -2126,14 +2130,29 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
               path = proc_buf;
             }
 
-          ret = get_file_type (&src_mode, (extra_flags & OPTION_COPY_SYMLINK) ? true : false, path);
+          if ((extra_flags & OPTION_COPY_SYMLINK) && (extra_flags & (OPTION_SRC_NOFOLLOW | OPTION_DEST_NOFOLLOW)))
+            return crun_make_error (err, 0, "`copy-symlink` is mutually exclusive with `src-nofollow` and `dest-nofollow`");
+
+          /* Do not resolve the symlink only when src-nofollow and copy-symlink are used.  */
+          ret = get_file_type (&src_mode, (extra_flags & (OPTION_SRC_NOFOLLOW | OPTION_COPY_SYMLINK)) ? true : false, path);
           if (UNLIKELY (ret < 0))
             return crun_make_error (err, errno, "cannot stat `%s`", path);
 
+          if (S_ISLNK (src_mode) && (extra_flags & OPTION_DEST_NOFOLLOW))
+            {
+              close_and_reset (&source_mountfd);
+
+              ret = get_bind_mount (AT_FDCWD, def->mounts[i]->source, true, true, extra_flags & OPTION_SRC_NOFOLLOW, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+
+              source_mountfd = ret;
+            }
+
           data = append_mode_if_missing (data, "mode=1755");
         }
 
-      if (S_ISLNK (src_mode))
+      if (S_ISLNK (src_mode) && (extra_flags & OPTION_COPY_SYMLINK))
         {
           cleanup_free char *target = NULL;
           ssize_t len;
@@ -2181,12 +2200,22 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
         {
           bool is_dir = S_ISDIR (src_mode);
 
-          /* Make sure any other directory/file is created and take a O_PATH reference to it.  */
-          ret = crun_safe_create_and_open_ref_at (is_dir, get_private_data (container)->rootfsfd, rootfs, target, is_dir ? 01755 : 0755, err);
-          if (UNLIKELY (ret < 0))
-            return ret;
-
-          targetfd = ret;
+          if (extra_flags & OPTION_DEST_NOFOLLOW)
+            {
+              /* If dest-nofollow is specified, expect the target to exist.  */
+              ret = safe_openat (get_private_data (container)->rootfsfd, rootfs, target, O_PATH | O_NOFOLLOW | O_CLOEXEC, 0, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+              targetfd = ret;
+            }
+          else
+            {
+              /* Make sure any other directory/file is created and take a O_PATH reference to it.  */
+              ret = crun_safe_create_and_open_ref_at (is_dir, get_private_data (container)->rootfsfd, rootfs, target, is_dir ? 01755 : 0755, err);
+              if (UNLIKELY (ret < 0))
+                return ret;
+              targetfd = ret;
+            }
         }
 
       if (extra_flags & OPTION_TMPCOPYUP)
@@ -2206,15 +2235,14 @@ do_mounts (libcrun_container_t *container, const char *rootfs, libcrun_error_t *
       source = def->mounts[i]->source ? def->mounts[i]->source : type;
 
       /* Check if there is already a mount for the requested file system.  */
-      if (! mounted && mount_fds && mount_fds->fds[i] >= 0)
+      if (! mounted && source_mountfd >= 0)
         {
-          cleanup_close int mfd = get_and_reset (&(mount_fds->fds[i]));
 
-          ret = fs_move_mount_to (mfd, targetfd, NULL);
+          ret = fs_move_mount_to (source_mountfd, targetfd, NULL);
           if (LIKELY (ret == 0))
             {
               /* Force no MS_BIND flag to not attempt again the bind mount.  */
-              ret = do_mount (container, NULL, mfd, target, NULL, flags & ~MS_BIND, data, LABEL_NONE, err);
+              ret = do_mount (container, NULL, source_mountfd, target, NULL, flags & ~MS_BIND, data, LABEL_NONE, err);
               if (UNLIKELY (ret < 0))
                 return ret;
               mounted = true;
diff --git a/tests/test_mounts.py b/tests/test_mounts.py
@@ -151,20 +151,20 @@ def test_ro_cgroup():
                 add_all_namespaces(conf, cgroupns=cgroupns, netns=netns)
                 mounts = [
                     {
-	                "destination": "/sys",
-	                "type": "sysfs",
-	                "source": "sysfs",
-	                "options": [
-		            "nosuid",
-		            "noexec",
-		            "nodev",
-		            "ro"
-	                ]
-	            },
+                        "destination": "/sys",
+                        "type": "sysfs",
+                        "source": "sysfs",
+                        "options": [
+                            "nosuid",
+                            "noexec",
+                            "nodev",
+                            "ro"
+                        ]
+                    },
                     {
-	                "destination": "/proc",
-	                "type": "proc"
-	            }
+                        "destination": "/proc",
+                        "type": "proc"
+                    }
                 ]
 
                 if has_cgroup_mount:
@@ -583,28 +583,28 @@ def test_cgroup_mount_without_netns():
         add_all_namespaces(conf, cgroupns=cgroupns, netns=False)
         mounts = [
             {
-	        "destination": "/proc",
-	        "type": "proc"
-	    },
+                "destination": "/proc",
+                "type": "proc"
+            },
             {
-	        "destination": "/sys",
-	        "type": "bind",
-	        "source": "/sys",
-	        "options": [
+                "destination": "/sys",
+                "type": "bind",
+                "source": "/sys",
+                "options": [
                     "rprivate",
                     "nosuid",
                     "noexec",
                     "nodev",
                     "ro",
                     "rbind"
-	        ]
-	    },
+                ]
+            },
             {
                 "destination": "/sys/fs/cgroup",
                 "type": "cgroup",
                 "source": "cgroup",
                 "options": [
-	            "rprivate",
+                    "rprivate",
                     "nosuid",
                     "noexec",
                     "nodev",
@@ -703,6 +703,81 @@ def test_mount_help():
     
     return 0
 
+def test_bind_mount_symlink_nofollow():
+    root = get_tests_root()
+    file_target = os.path.join(root, "a-file")
+    symlink = os.path.join(root, "a-symlink")
+    target_content = file_target
+    file_target_content = "inside-the-file"
+
+    with open(file_target, "w+") as f:
+        f.write(file_target_content)
+
+    os.symlink(target_content, symlink)
+
+    def prepare_rootfs(rootfs):
+        path = os.path.join(rootfs, "target")
+        os.symlink("point-to-nowhere", path)
+
+    for src_nofollow in [True, False]:
+        conf = base_config()
+        add_all_namespaces(conf)
+        if src_nofollow:
+            options = ["bind", "dest-nofollow", "src-nofollow"]
+            conf['process']['args'] = ['/init', 'readlink', '/target']
+            expected = target_content
+        else:
+            options = ["bind", "dest-nofollow"]
+            conf['process']['args'] = ['/init', 'cat', '/target']
+            expected = file_target_content
+
+        mount_opt = {"destination": "/target", "type": "bind", "source": symlink, "options": options}
+        conf['mounts'].append(mount_opt)
+
+        try:
+            out, _ = run_and_get_output(conf, hide_stderr=True,callback_prepare_rootfs=prepare_rootfs)
+            sys.stderr.write("got output %s\n" % out)
+            if expected not in out:
+                return -1
+        except Exception as e:
+            sys.stderr.write("error %s\n" % e)
+            return -1
+
+    return 0
+
+def test_bind_mount_file_nofollow():
+    root = get_tests_root()
+    target = os.path.join(root, "a-file")
+    target_content = "content-of-file"
+
+    with open(target, "w+") as f:
+        f.write(target_content)
+
+    def prepare_rootfs(rootfs):
+        path = os.path.join(rootfs, "symlink")
+        os.symlink("point-to-nowhere", path)
+
+    for src_nofollow in [True, False]:
+        conf = base_config()
+        conf['process']['args'] = ['/init', 'cat', '/symlink']
+        add_all_namespaces(conf)
+        if src_nofollow:
+            options = ["bind", "dest-nofollow", "src-nofollow"]
+        else:
+            options = ["bind", "dest-nofollow"]
+        mount_opt = {"destination": "/symlink", "type": "bind", "source": target, "options": options}
+        conf['mounts'].append(mount_opt)
+
+    try:
+        out, _ = run_and_get_output(conf, hide_stderr=True,callback_prepare_rootfs=prepare_rootfs)
+        sys.stderr.write("got output %s\n" % out)
+        if target_content in out:
+            return 0
+    except Exception as e:
+        sys.stderr.write("error %s\n" % e)
+        pass
+    return -1
+
 all_tests = {
     "mount-ro" : test_mount_ro,
     "mount-rro" : test_mount_rro,
@@ -732,6 +807,8 @@ def test_mount_help():
     "mount-ro-cgroup": test_ro_cgroup,
     "mount-cgroup-without-netns": test_cgroup_mount_without_netns,
     "mount-copy-symlink": test_copy_symlink,
+    "mount-bind-mount-symlink-nofollow": test_bind_mount_symlink_nofollow,
+    "mount-bind-mount-file-nofollow": test_bind_mount_file_nofollow,
     "mount-tmpfs-permissions": test_mount_tmpfs_permissions,
     "mount-add-remove-mounts": test_add_remove_mounts,
     "mount-help": test_mount_help,
diff --git a/tests/test_oci_features.py b/tests/test_oci_features.py
@@ -106,6 +106,8 @@ def test_crun_features():
                 "defaults",
                 "async",
                 "rasync",
+                "dest-nofollow",
+                "src-nofollow",
                 "private",
                 "tmpcopyup",
                 "rexec",
