diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2021-05-01 05:50:31 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2021-05-04 14:40:43 -0400 |
commit | 4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec (patch) | |
tree | e944a81bbdd86ab0e166923c2fde320311718de0 /cmd | |
parent | 7f2c27d43fc5d109c156e6203bf4901853b3cc7a (diff) | |
download | podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.gz podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.bz2 podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.zip |
Add filepath glob support to --security-opt unmask
Want to allow users to specify --security-opt unmask=/proc/*.
This allows us to run podman within podman more securely, then
specifing umask=all, also gives the user more flexibilty.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/podman/common/specgen.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go index f889a0169..80a8985e9 100644 --- a/cmd/podman/common/specgen.go +++ b/cmd/podman/common/specgen.go @@ -540,7 +540,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", con[1]) } case "unmask": - s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(con[1], ":")...) + s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...) default: return fmt.Errorf("invalid --security-opt 2: %q", opt) } |