From: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
Subject: Conditionally disable MS_NODEV when running as root

--- a/src/lib/rootfs/dir/dir.c
+++ b/src/lib/rootfs/dir/dir.c
@@ -65,6 +65,7 @@ int rootfs_dir_init(char *source, char *
 
 
 int rootfs_dir_mount(void) {
+    int opts = MS_BIND|MS_NOSUID|MS_REC;
 
     if ( ( mount_point == NULL ) || ( source_dir == NULL ) ) {
         singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n");
@@ -76,9 +77,13 @@ int rootfs_dir_mount(void) {
         ABORT(255);
     }
 
+    if ( getuid() != 0 ) {
+        opts |= MS_NODEV;
+    }
+
     singularity_priv_escalate();
     singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point);
-    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
+    if ( mount(source_dir, mount_point, NULL, opts, NULL) < 0 ) {
         singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno));
         return 1;
     }
@@ -88,7 +93,7 @@ int rootfs_dir_mount(void) {
         if ( singularity_ns_user_enabled() <= 0 ) {
             singularity_priv_escalate();
             singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point);
-            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
+            if ( mount(NULL, mount_point, NULL, opts|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
                 singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno));
                 ABORT(255);
             }
--- a/src/lib/rootfs/image/image.c
+++ b/src/lib/rootfs/image/image.c
@@ -100,6 +100,7 @@ int rootfs_image_init(char *source, char
 
 
 int rootfs_image_mount(void) {
+    int opts = MS_NOSUID;
 
     if ( mount_point == NULL ) {
         singularity_message(ERROR, "Called image_mount but image_init() hasn't been called\n");
@@ -122,12 +123,15 @@ int rootfs_image_mount(void) {
         ABORT(255);
     }
 
+    if ( getuid() != 0 ) {
+        opts |= MS_NODEV;
+    }
 
     if ( read_write > 0 ) {
         singularity_message(VERBOSE, "Mounting image in read/write\n");
         singularity_priv_escalate();
-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
+        if ( mount(loop_dev, mount_point, "ext3", opts, "errors=remount-ro") < 0 ) {
+            if ( mount(loop_dev, mount_point, "ext4", opts, "errors=remount-ro") < 0 ) {
                 singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
                 ABORT(255);
             }
@@ -136,8 +140,8 @@ int rootfs_image_mount(void) {
     } else {
         singularity_priv_escalate();
         singularity_message(VERBOSE, "Mounting image in read/only\n");
-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+        if ( mount(loop_dev, mount_point, "ext3", opts|MS_RDONLY, "errors=remount-ro") < 0 ) {
+            if ( mount(loop_dev, mount_point, "ext4", opts|MS_RDONLY, "errors=remount-ro") < 0 ) {
                 singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
                 ABORT(255);
             }