diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2022-09-22 19:03:15 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-22 19:03:15 +0200 |
| commit | 08993516a939576fa009db6e7ed32524026a822d (patch) | |
| tree | 05fd47ec0708f53e095004af48b853cd41316d57 | |
| parent | 8bf3535447fe9f482b329e962e173ade26456e6d (diff) | |
| parent | 5a2405ae1b3a51a7fb1f01de89bd6b2c60416f08 (diff) | |
| download | podman-08993516a939576fa009db6e7ed32524026a822d.tar.gz podman-08993516a939576fa009db6e7ed32524026a822d.tar.bz2 podman-08993516a939576fa009db6e7ed32524026a822d.zip | |
Merge pull request #15895 from dcermak/don-expose-dev-for-privileged
Don't mount /dev/ inside privileged containers running systemd
| -rw-r--r-- | libpod/container_internal_common.go | 6 | ||||
| -rw-r--r-- | pkg/util/utils_freebsd.go | 2 | ||||
| -rw-r--r-- | pkg/util/utils_linux.go | 5 | ||||
| -rw-r--r-- | test/system/030-run.bats | 18 |
4 files changed, 28 insertions, 3 deletions
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go index 874e9affe..29107d4b6 100644 --- a/libpod/container_internal_common.go +++ b/libpod/container_internal_common.go @@ -109,7 +109,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { // If the flag to mount all devices is set for a privileged container, add // all the devices from the host's machine into the container if c.config.MountAllDevices { - if err := util.AddPrivilegedDevices(&g); err != nil { + systemdMode := false + if c.config.Systemd != nil { + systemdMode = *c.config.Systemd + } + if err := util.AddPrivilegedDevices(&g, systemdMode); err != nil { return nil, err } } diff --git a/pkg/util/utils_freebsd.go b/pkg/util/utils_freebsd.go index 9b0d7c8c7..ba91308af 100644 --- a/pkg/util/utils_freebsd.go +++ b/pkg/util/utils_freebsd.go @@ -13,6 +13,6 @@ func GetContainerPidInformationDescriptors() ([]string, error) { return []string{}, errors.New("this function is not supported on freebsd") } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { return nil } diff --git a/pkg/util/utils_linux.go b/pkg/util/utils_linux.go index 7b2d98666..07927db1c 100644 --- a/pkg/util/utils_linux.go +++ b/pkg/util/utils_linux.go @@ -70,7 +70,7 @@ func FindDeviceNodes() (map[string]string, error) { return nodes, nil } -func AddPrivilegedDevices(g *generate.Generator) error { +func AddPrivilegedDevices(g *generate.Generator, systemdMode bool) error { hostDevices, err := getDevices("/dev") if err != nil { return err @@ -104,6 +104,9 @@ func AddPrivilegedDevices(g *generate.Generator) error { } } else { for _, d := range hostDevices { + if systemdMode && strings.HasPrefix(d.Path, "/dev/tty") { + continue + } g.AddDevice(d) } // Add resources device - need to clear the existing one first. diff --git a/test/system/030-run.bats b/test/system/030-run.bats index 2abf749a1..65a1150a3 100644 --- a/test/system/030-run.bats +++ b/test/system/030-run.bats @@ -901,4 +901,22 @@ $IMAGE--c_ok" \ run_podman rm $ctr_name } +@test "podman run --privileged as root with systemd will not mount /dev/tty" { + skip_if_rootless "this test only makes sense as root" + + ctr_name="container-$(random_string 5)" + run_podman run --rm -d --privileged --systemd=always --name "$ctr_name" "$IMAGE" /home/podman/pause + + TTYs=$(ls /dev/tty*|sed '/^\/dev\/tty$/d') + + if [[ $TTYs = "" ]]; then + die "Did not find any /dev/ttyN devices on local host" + else + run_podman exec "$ctr_name" ls /dev/ + assert "$(grep tty <<<$output)" = "tty" "There must be no /dev/ttyN devices in the container" + fi + + run_podman stop "$ctr_name" +} + # vim: filetype=sh |