From 2bf24eb3891585583b55bc6c99dabe0146ff3cdb Mon Sep 17 00:00:00 2001
From: Oguz Bektas <o.bektas@proxmox.com>
Date: Fri, 5 Jul 2019 13:27:05 +0200
Subject: [PATCH] fix #1451: allow one to add mount options to CT mountpoints

for now allows the following non-problematic ones:
* noexec - Do not permit execution of binaries on the mounted FS
* noatime - Do not update inode access times on this filesystem
* nosuid - Do not allow suid or sgid bits to take effect
* nodev - Do not interpret character or block devices on the FS

Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
 src/PVE/LXC.pm        | 12 ++++++++++--
 src/PVE/LXC/Config.pm | 13 +++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 4922fb0..13ead7f 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -1415,11 +1415,19 @@ sub mountpoint_mount {
 
     die "unknown snapshot path for '$volid'" if !$storage && defined($snapname);
 
-    my $optstring = '';
+    my @mountoptions= split(/;/, $mountpoint->{mountoptions});
+    my $optlist = [];
+    my $allowed_options = PVE::LXC::Config::get_mount_options();
+    foreach my $opt (@mountoptions) {
+	push @$optlist, $opt if $opt =~ $allowed_options
+    }
+
     my $acl = $mountpoint->{acl};
     if (defined($acl)) {
-	$optstring .= ($acl ? 'acl' : 'noacl');
+	push @$optlist, ($acl ? 'acl' : 'noacl');
     }
+
+    my $optstring = join(',', @$optlist);
     my $readonly = $mountpoint->{ro};
 
     my @extra_opts;
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 8dcd73c..71788ba 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -216,6 +216,12 @@ sub __snapshot_foreach_volume {
 
 cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
 
+my $mount_option = qr/(noatime|nodev|nosuid|noexec)/;
+
+sub get_mount_options {
+    return $mount_option;
+}
+
 my $rootfs_desc = {
     volume => {
 	type => 'string',
@@ -236,6 +242,13 @@ my $rootfs_desc = {
 	description => 'Explicitly enable or disable ACL support.',
 	optional => 1,
     },
+    mountoptions => {
+	optional => 1,
+	type => 'string',
+	description => 'Extra mount options for rootfs/mps.',
+	format_description => 'opt[;opt...]',
+	pattern => qr/$mount_option(;$mount_option)*/,
+    },
     ro => {
 	type => 'boolean',
 	description => 'Read-only mount point',
-- 
2.39.2