systemd: mask /sys/fs/cgroup/systemd/release_agent

when running in systemd mode on cgroups v1, make sure the /sys/fs/cgroup/systemd/release_agent is masked otherwise the container is able to modify it and execute scripts on the host. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
author: Giuseppe Scrivano <gscrivan@redhat.com> 2019-10-25 21:50:29 +0200
committer: Giuseppe Scrivano <gscrivan@redhat.com> 2019-10-25 21:50:29 +0200
commit: 0d5d6dab57590f9f52666031c1979f4cf136d12e (patch)
tree: 1ea299ce4051562eb8530a5b7b1f6971af20872c /libpod
parent: a01cb220c8389adaeaa8fb2b4c4fbd65e77c0529 (diff)
download: podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.gz
podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.bz2
podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index b7d353327..283d38a0f 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -550,6 +550,7 @@ func (c *Container) setupSystemd(mounts []spec.Mount, g generate.Generator) erro
 			Options:     []string{"bind", "nodev", "noexec", "nosuid"},
 		}
 		g.AddMount(systemdMnt)
+		g.AddLinuxMaskedPaths("/sys/fs/cgroup/systemd/release_agent")
 	}
 
 	return nil
author	Giuseppe Scrivano <gscrivan@redhat.com>	2019-10-25 21:50:29 +0200
committer	Giuseppe Scrivano <gscrivan@redhat.com>	2019-10-25 21:50:29 +0200
commit	0d5d6dab57590f9f52666031c1979f4cf136d12e (patch)
tree	1ea299ce4051562eb8530a5b7b1f6971af20872c /libpod
parent	a01cb220c8389adaeaa8fb2b4c4fbd65e77c0529 (diff)
download	podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.gz podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.tar.bz2 podman-0d5d6dab57590f9f52666031c1979f4cf136d12e.zip