summaryrefslogtreecommitdiff
path: root/cmd/podman
diff options
context:
space:
mode:
authorUrvashi Mohnani <umohnani@redhat.com>2020-11-18 21:36:16 -0500
committerUrvashi Mohnani <umohnani@redhat.com>2020-12-02 16:07:18 -0500
commit0334b6195820f7261f87a4f4e5d739a6d560f4b2 (patch)
treead0667023f0aac28760e9a3bd879099e68684641 /cmd/podman
parente3f0b7db7508f1e1ecfdb23adb53531c89a29b99 (diff)
downloadpodman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.gz
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.tar.bz2
podman-0334b6195820f7261f87a4f4e5d739a6d560f4b2.zip
Add mask and unmask option to --security-opt
Add the mask and unmask option to the --security-opt flag to allow users to specify paths to mask and unmask in the container. If unmask=ALL, this will unmask all the paths we mask by default. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
Diffstat (limited to 'cmd/podman')
-rw-r--r--cmd/podman/common/specgen.go14
1 files changed, 9 insertions, 5 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index 0bb6e79e5..e0da142ad 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -517,18 +517,22 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
}
switch con[0] {
- case "proc-opts":
- s.ProcOpts = strings.Split(con[1], ",")
+ case "apparmor":
+ s.ContainerSecurityConfig.ApparmorProfile = con[1]
+ s.Annotations[define.InspectAnnotationApparmor] = con[1]
case "label":
// TODO selinux opts and label opts are the same thing
s.ContainerSecurityConfig.SelinuxOpts = append(s.ContainerSecurityConfig.SelinuxOpts, con[1])
s.Annotations[define.InspectAnnotationLabel] = strings.Join(s.ContainerSecurityConfig.SelinuxOpts, ",label=")
- case "apparmor":
- s.ContainerSecurityConfig.ApparmorProfile = con[1]
- s.Annotations[define.InspectAnnotationApparmor] = con[1]
+ case "mask":
+ s.ContainerSecurityConfig.Mask = append(s.ContainerSecurityConfig.Mask, strings.Split(con[1], ":")...)
+ case "proc-opts":
+ s.ProcOpts = strings.Split(con[1], ",")
case "seccomp":
s.SeccompProfilePath = con[1]
s.Annotations[define.InspectAnnotationSeccomp] = con[1]
+ case "unmask":
+ s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(con[1], ":")...)
default:
return fmt.Errorf("invalid --security-opt 2: %q", opt)
}