summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2020-07-14 22:49:48 +0200
committerGitHub <noreply@github.com>2020-07-14 22:49:48 +0200
commitc4843d4e9ce395f1bbcaae848e6172f5a4519a35 (patch)
treedf479f59402609ada247e006dd1986471b8b2dc4
parentf4edfe8430037dd629485489bceb63a455ccde05 (diff)
parent6054985f872f7d50b9c7a98faac77a0a6fde672b (diff)
downloadpodman-c4843d4e9ce395f1bbcaae848e6172f5a4519a35.tar.gz
podman-c4843d4e9ce395f1bbcaae848e6172f5a4519a35.tar.bz2
podman-c4843d4e9ce395f1bbcaae848e6172f5a4519a35.zip
Merge pull request #6957 from rhatdan/sysdev
Mask out /sys/dev to prevent information leak from the host
-rw-r--r--pkg/specgen/generate/config_linux.go1
1 files changed, 1 insertions, 0 deletions
diff --git a/pkg/specgen/generate/config_linux.go b/pkg/specgen/generate/config_linux.go
index b2d79f01b..9b6bd2827 100644
--- a/pkg/specgen/generate/config_linux.go
+++ b/pkg/specgen/generate/config_linux.go
@@ -150,6 +150,7 @@ func BlockAccessToKernelFilesystems(privileged, pidModeIsHost bool, g *generate.
"/proc/scsi",
"/sys/firmware",
"/sys/fs/selinux",
+ "/sys/dev",
} {
g.AddLinuxMaskedPaths(mp)
}