commit f79e853d9ee8a15b1d16cdc7dfbe85eca50efc6d
Author: Gregory M. Kurtzer <gmkurtzer@lbl.gov>
Date:   Thu Feb 2 22:37:50 2017 +0000

    Utilize mount option MS_NODEV for images

diff --git a/src/lib/rootfs/dir/dir.c b/src/lib/rootfs/dir/dir.c
index c6ba1a8c..75fa6468 100644
--- a/src/lib/rootfs/dir/dir.c
+++ b/src/lib/rootfs/dir/dir.c
@@ -78,7 +78,7 @@ int rootfs_dir_mount(void) {
 
     singularity_priv_escalate();
     singularity_message(DEBUG, "Mounting container directory %s->%s\n", source_dir, mount_point);
-    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC, NULL) < 0 ) {
+    if ( mount(source_dir, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_NODEV, NULL) < 0 ) {
         singularity_message(ERROR, "Could not mount container directory %s->%s: %s\n", source_dir, mount_point, strerror(errno));
         return 1;
     }
@@ -88,7 +88,7 @@ int rootfs_dir_mount(void) {
         if ( singularity_ns_user_enabled() <= 0 ) {
             singularity_priv_escalate();
             singularity_message(VERBOSE2, "Making mount read only: %s\n", mount_point);
-            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY, NULL) < 0 ) {
+            if ( mount(NULL, mount_point, NULL, MS_BIND|MS_NOSUID|MS_REC|MS_REMOUNT|MS_RDONLY|MS_NODEV, NULL) < 0 ) {
                 singularity_message(ERROR, "Could not bind read only %s: %s\n", mount_point, strerror(errno));
                 ABORT(255);
             }
diff --git a/src/lib/rootfs/image/image.c b/src/lib/rootfs/image/image.c
index 0db44999..8f3261fd 100644
--- a/src/lib/rootfs/image/image.c
+++ b/src/lib/rootfs/image/image.c
@@ -126,8 +126,8 @@ int rootfs_image_mount(void) {
     if ( read_write > 0 ) {
         singularity_message(VERBOSE, "Mounting image in read/write\n");
         singularity_priv_escalate();
-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID, "errors=remount-ro") < 0 ) {
-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID, "errors=remount-ro") < 0 ) {
+        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
+            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_NODEV, "errors=remount-ro") < 0 ) {
                 singularity_message(ERROR, "Failed to mount image in (read/write): %s\n", strerror(errno));
                 ABORT(255);
             }
@@ -136,8 +136,8 @@ int rootfs_image_mount(void) {
     } else {
         singularity_priv_escalate();
         singularity_message(VERBOSE, "Mounting image in read/only\n");
-        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
-            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
+        if ( mount(loop_dev, mount_point, "ext3", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
+            if ( mount(loop_dev, mount_point, "ext4", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
                 singularity_message(ERROR, "Failed to mount image in (read only): %s\n", strerror(errno));
                 ABORT(255);
             }
diff --git a/src/lib/rootfs/squashfs/squashfs.c b/src/lib/rootfs/squashfs/squashfs.c
index df71f4c2..82f2dfc5 100644
--- a/src/lib/rootfs/squashfs/squashfs.c
+++ b/src/lib/rootfs/squashfs/squashfs.c
@@ -104,7 +104,7 @@ int rootfs_squashfs_mount(void) {
 
     singularity_priv_escalate();
     singularity_message(VERBOSE, "Mounting squashfs image\n");
-    if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY, "errors=remount-ro") < 0 ) {
+    if ( mount(loop_dev, mount_point, "squashfs", MS_NOSUID|MS_RDONLY|MS_NODEV, "errors=remount-ro") < 0 ) {
         singularity_message(ERROR, "Failed to mount squashfs image in (read only): %s\n", strerror(errno));
         ABORT(255);
     }