diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-04-11 15:54:35 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-04-11 15:55:34 +0200 |
commit | 2c9c40dc82141d3876d08fa5421f380b975a387b (patch) | |
tree | 2d26d68540b08ee6efd7026ec1ff7f8a5574a356 | |
parent | 42eb9eaf294509e560dbf603f985c1dfdbc10f57 (diff) | |
download | podman-2c9c40dc82141d3876d08fa5421f380b975a387b.tar.gz podman-2c9c40dc82141d3876d08fa5421f380b975a387b.tar.bz2 podman-2c9c40dc82141d3876d08fa5421f380b975a387b.zip |
spec: mask /sys/kernel when bind mounting /sys
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | pkg/spec/spec.go | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index 33c9fd6f3..0371b6d4d 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -132,6 +132,9 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Options: []string{"rprivate", "nosuid", "noexec", "nodev", r, "rbind"}, } g.AddMount(sysMnt) + if !config.Privileged && isRootless { + g.AddLinuxMaskedPaths("/sys/kernel") + } } if isRootless { nGids, err := getAvailableGids() @@ -500,7 +503,6 @@ func blockAccessToKernelFilesystems(config *CreateConfig, g *generate.Generator) "/proc/scsi", "/sys/firmware", "/sys/fs/selinux", - "/sys/kernel", } { g.AddLinuxMaskedPaths(mp) } |