Here is an example docker-compose.yml with a volume, but how to disable executability?

services:
  test:
    runtime: runsc
    image: alpine:latest
    read_only: true
    volumes:
      - ./testdir:/testdir
    command: /testdir/run.sh
    cap_drop:
      - ALL

I disable executability for specific mounted filesystem directories on Linux through /etc/fstab with noexec, so how about adding noexec to ./testdir volume to disable executability? Also I want to allow writing files I just don’t want it to be ran as executable.

Doubt it matters, but I use gvisor

./testdir has permissions read+write 666, still cant write files when I do that, it needs executability.

I want to disallow executables to increase security of a docker container.

I guess my only choice is to mount --bind -o noexec ./testdir, or basically just have the volume somewhere already with noexec.

Edit: I guess not, even with volume mounted with noexec, still can execute the file in the container, not on host.

Nevermind, it was a gvisor issue, I found this post on stack overflow with the opposite issue of mine: Mount volume into docker container without noexec option - Stack Overflow

I checked inside my container with mount command and saw this

without gvisor:
/dev/sda1 on /testdir type ext4 (rw,noexec,relatime)

with gvisor:
none on /testdir type 9p (rw,trans=fd,rfdno=5,wfdno=5,aname=/,dfltuid=4294967294,dfltgid=4294967294,dcache=1000,cache=remote_revalidating,disable_fifo_open,directfs)

using gvisor removed noexec from mount, but there is a fix I just need to update gvisor

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.