summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-04-11 15:54:35 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-04-11 15:55:34 +0200
commit2c9c40dc82141d3876d08fa5421f380b975a387b (patch)
tree2d26d68540b08ee6efd7026ec1ff7f8a5574a356
parent42eb9eaf294509e560dbf603f985c1dfdbc10f57 (diff)
downloadpodman-2c9c40dc82141d3876d08fa5421f380b975a387b.tar.gz
podman-2c9c40dc82141d3876d08fa5421f380b975a387b.tar.bz2
podman-2c9c40dc82141d3876d08fa5421f380b975a387b.zip
spec: mask /sys/kernel when bind mounting /sys
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--pkg/spec/spec.go4
1 files changed, 3 insertions, 1 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go
index 33c9fd6f3..0371b6d4d 100644
--- a/pkg/spec/spec.go
+++ b/pkg/spec/spec.go
@@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint
Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"},
}
g.AddMount(sysMnt)
+ if !config.Privileged && isRootless {
+ g.AddLinuxMaskedPaths("/sys/kernel")
+ }
}
if isRootless {
nGids, err := getAvailableGids()
@@ -500,7 +503,6 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator)
"/proc/scsi",
"/sys/firmware",
"/sys/fs/selinux",
- "/sys/kernel",
} {
g.AddLinuxMaskedPaths(mp)
}