diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-08-22 17:45:07 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-08-22 20:32:27 +0000 |
commit | 77bcc89d526745b2e0d17d94974990a134908751 (patch) | |
tree | f70db4c7dac13ac4a4d94d9703183297daf46b44 | |
parent | b4420e22fc838fd2bd9712d476656ed6e891d4c8 (diff) | |
download | podman-77bcc89d526745b2e0d17d94974990a134908751.tar.gz podman-77bcc89d526745b2e0d17d94974990a134908751.tar.bz2 podman-77bcc89d526745b2e0d17d94974990a134908751.zip |
rootless: fix --net host --privileged
Closes: https://github.com/containers/libpod/issues/1313
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1323
Approved by: umohnani8
-rw-r--r-- | pkg/spec/spec.go | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/pkg/spec/spec.go b/pkg/spec/spec.go index dec3a05ef..7323b2d2b 100644 --- a/pkg/spec/spec.go +++ b/pkg/spec/spec.go @@ -25,7 +25,13 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint } g.HostSpecific = true addCgroup := true - if config.Privileged { + canMountSys := true + + if !config.UsernsMode.IsHost() && config.NetMode.IsHost() { + canMountSys = false + } + + if config.Privileged && canMountSys { cgroupPerm = "rw" g.RemoveMount("/sys") sysMnt := spec.Mount{ @@ -35,14 +41,18 @@ func CreateConfigToOCISpec(config *CreateConfig) (*spec.Spec, error) { //nolint Options: []string{"nosuid", "noexec", "nodev", "rw"}, } g.AddMount(sysMnt) - } else if !config.UsernsMode.IsHost() && config.NetMode.IsHost() { + } else if !canMountSys { addCgroup = false g.RemoveMount("/sys") + r := "ro" + if config.Privileged { + r = "rw" + } sysMnt := spec.Mount{ Destination: "/sys", Type: "bind", Source: "/sys", - Options: []string{"nosuid", "noexec", "nodev", "ro", "rbind"}, + Options: []string{"nosuid", "noexec", "nodev", r, "rbind"}, } g.AddMount(sysMnt) } |