summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-10-25 21:50:29 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-10-25 21:50:29 +0200
commit0d5d6dab57590f9f52666031c1979f4cf136d12e (patch)
tree1ea299ce4051562eb8530a5b7b1f6971af20872c
parenta01cb220c8389adaeaa8fb2b4c4fbd65e77c0529 (diff)
downloadpodman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.gz
podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.bz2
podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.zip
systemd: mask /sys/fs/cgroup/systemd/release_agent
when running in systemd mode on cgroups v1, make sure the /sys/fs/cgroup/systemd/release_agent is masked otherwise the container is able to modify it and execute scripts on the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r--libpod/container_internal_linux.go1
1 files changed, 1 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index b7d353327..283d38a0f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -550,6 +550,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
Options: []string{"bind", "nodev", "noexec", "nosuid"},
}
g.AddMount(systemdMnt)
+ g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
}
return nil