summaryrefslogtreecommitdiff
path: root/cmd
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2021-05-01 05:50:31 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2021-05-04 14:40:43 -0400
commit4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec (patch)
treee944a81bbdd86ab0e166923c2fde320311718de0 /cmd
parent7f2c27d43fc5d109c156e6203bf4901853b3cc7a (diff)
downloadpodman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.gz
podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.tar.bz2
podman-4fd1965ab4d1395b5cc4a0e03526ef9c43f794ec.zip
Add filepath glob support to --security-opt unmask
Want to allow users to specify --security-opt unmask=/proc/*. This allows us to run podman within podman more securely, then specifing umask=all, also gives the user more flexibilty. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'cmd')
-rw-r--r--cmd/podman/common/specgen.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/cmd/podman/common/specgen.go b/cmd/podman/common/specgen.go
index f889a0169..80a8985e9 100644
--- a/cmd/podman/common/specgen.go
+++ b/cmd/podman/common/specgen.go
@@ -540,7 +540,7 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *ContainerCLIOpts, args []string
return fmt.Errorf("invalid systempaths option %q, only `unconfined` is supported", con[1])
}
case "unmask":
- s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, strings.Split(con[1], ":")...)
+ s.ContainerSecurityConfig.Unmask = append(s.ContainerSecurityConfig.Unmask, con[1:]...)
default:
return fmt.Errorf("invalid --security-opt 2: %q", opt)
}